javascript contador Skip to content

Changing your password every so often is useless

Changing your password every so often is useless

Changing your password every so often is useless

Passwords are the only barrier on many occasions that separates our data from the hands of others, but changing your password every so often will not save you from any threat.

We are more than used to having passwords to safeguard our data, and one of the most widespread beliefs is that changing our password every so often helps keep our data more secure. For this reason, many companies or schools force their users to change the passwordevery so often, but they should stop doing it.

Changing passwords doesn’t work, and yes, it is your fault again

We are talking about the intervention of Lorrie Cranor, technology head of the American FTC, at the DEFCON held in Las Vegas. In this event, Cranor has broken this myth of computer security, demonstrating that it can put us in more danger than if we left our password unchanged, and the fault returns to whoever is between the screen and the chair, the user.

The problem is that when we are forced to change the password, we tend to make small modifications to our base password: change a capital letter to a lowercase letter, add an extra letter or number something to what computer security experts call transformations, small changes to a base and old password.


The problem is that hackers are not idiots and are aware of this trend, so they incorporate these transformations into the tools they use to crack passwords. Conclusion, the measure is useless if the user is not aware and avoids using transformations, something that does not happen in the vast majority of occasions.

Be careful, we are not saying that you should never change your password: it is a good idea to change it if it is very old, or if the site where we use the password has been compromised. What you should do is avoid these transformations they only slightly change your password, since with those passwords you are just as insecure as with the original password.

And what can we do to make our password secure, you ask? It is simple actually: don’t reuse passwords between services, do not make these transformations to change the password, change the passwords if any service suffers a data theft and use a manager to save and generate strong passwords