Over the last 10 years, a major university in Australia has refused to instruct staff and students to change the passwords they use to access the institution’s computer network. This refusal by the University of Canberra, located in the capital city of Australia, dates back to a security audit that was first conducted in 2016, and the school’s stance has been maintained year after year despite continuous audits and recommendations by government security officials.
HOW OFTEN SHOULD PASSWORDS BE CHANGED?
What is interesting about the stance by the university is that their IT department is basing its unusual decision on computer science research that suggests frequent and mandatory password changes may actually increase the risk of a system breach.
The university’s rationale is based on a few studies that have shown an interesting and unintended consequence of mandatory password changes, which often result in users merely updating their current passwords or reverting to older and simpler codes that can be guessed by cyber criminals. For example, a bank clerk who uses mary32! as a password today will likely change it to mary33! in a couple of months and mary34! the next time she is instructed to make the change; this would be a numeric sequence that malicious hackers can guess.
SECURITY RISKS TEND TO INCREASE WHEN PASSWORDS REMAIN STATIC FOR A LONG TIME
Although the University of Canberra makes a valid point with regard to computer users choosing weak passwords when they are forced to change them every so often, the reality is that security risks tend to increase when passwords remain static for a long time. Frequent password changes are not useful unless the passwords themselves are not mindful of security trends.
BEST PRACTICES FOR PASSWORD SECURITY
Changing your password as you start off the New Year is a good idea, but you should take this security measure a step further and consider getting a password manager. One of the problems with password security these days is that there are too many different systems and websites to access, and the last thing you want to do is use the same password for every purpose. With a password manager, your username and password combinations are kept in an encrypted vault that can only be accessed with one very strong password and authentication procedure. Many password managers are cloud-based applications that you can access from your smartphone or if you are not on your computer.
If you have questions about securing your passwords and protecting your computer devices in 2021, speak to one of our security technicians.