Thirty-five percent of people never change their passwords, unless they are prompted, according to a survey recently conducted by PCMag. Surprisingly, 11 percent said they change their passwords every day.
According to the survey of 2,500 U.S. consumers, 12 percent change their passwords once a month, with others changing passwords from several times a month to several times a week. Twenty-four percent of respondents use a password manager app.
In fact, the respondents who only change their passwords when prompted may be correct, according to a new commentary by the National Institute of Standards and Technology (NIST). It used to advise that users change their passwords every 90 days, but now NIST says users look to change passwords only if they have been compromised in a data breach.
The survey also found that 36 percent of respondents never received "proper education on cybersecurity." In addition, 26 percent said they never back up their data, and 20 percent only back it up a couple of times a year. Finally, only 29 percent regularly update their computer system. Angela Moscaritolo "35 Percent of People Never Change Their Passwords" pcmag.com (Jul. 20, 2018).
Commentary and Checklist
NIST, a government agency, now recommends making passwords at least eight characters in length and that there is no need to change them unless they are breached. The rationale behind the change is that people have a hard time memorizing the types of long, complex passwords that the NIST used to recommend—with uppercase letters, lowercase letters, numbers, and special characters—and end up giving up and choosing easy-to-guess passwords as a result. In addition, passwords using multiple character types are not that much more secure than those that just use lowercase letters or all numbers.
The government's recommendation sounds like it is giving up on best cyber practices. Cyber experts in the private sector strongly disagree. Just because users don't follow the best practices doesn't mean using less secure passwords are the answer.
The best passwords are kept in, or generated by, a password manager. Use different passwords for different sites, making sure they are at least eight characters, although 12 is better, and 20 or more is best. Use a mix of upper and lower case letters, numbers, and special characters. Alternatively, use a phrase with no spaces (do not use proper spelling or "dictionary words"). Alternatively, use multiple words strung together separated by punctuation. The more random the words, the better. Also, require your staff to enable two-factor authentication when available. That way, even if a password is stolen, the account remains safe from hackers.
Here are some other steps family employers can take to reduce the risk of cybercrime:
- Equip all computers with the latest security software and keep your protection up-to-date. Turn on the full-disc encryption and routinely scan for viruses on all computers.
- Install a firewall on your Internet connection.
- Protect mobile devices with passwords and encryption, and require staff to report any lost or stolen devices immediately. Tell staff never to leave devices unattended in public.
- Have staff backup data regularly and store it in a safe place.
- Lock up laptops and mobile devices when unattended. Do not store sensitive information on laptops or other portable memory devices.
- Encrypt your Wi-Fi network and require staff to use a secure Wi-Fi network if working elsewhere.
- Work with banks and other financial institutions to make sure your accounts are equipped with the best anti-fraud tools available.
- Only allow staff access to the data that they must have to carry out their jobs.
- Do not share sensitive information on social media sites.
- Prohibit staff from keeping data when they leave. Have staff return any work devices and revoke their access to your cyber programs.