• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
NameHero® Blog

NameHero® Blog

Web Hosting Tips & Resources From NameHero

  • Hosting
    • Web Hosting
    • WordPress Hosting
    • WooCommerce Hosting
    • Enterprise Hosting
  • VPS
    • VPS Hosting
    • Flex VPS
  • Reseller
  • Email
  • Gaming
  • Domains
  • Website Builder
  • Account
  • Blog Home
  • Categories
  • Authors

Forcing Users To Change Passwords Often, Doesn’t Work

Bhagwad Park

Published on: October 21, 2019

Categories: Website Security 0

October is supposed to be “National Cybersecurity Awareness Month”. So I decided to write a bunch of articles on Linux security. We’ve already covered disabling root access and how to change the SSH port. The next big issue is passwords.

People say that we’re moving to a “passwordless” future. They point to the emergence of hardware security keys, biometrics, and other forms of verification. Personally, I think this is dreaming. Passwords are never going away. They’re simply too convenient and universal. Think about what happens if you misplace your security key! Apps like Google Authenticator are already a nightmare to work around if you misplace your phone.

So given that the password is here to stay, it’s worth looking at password security policies. One common strategy that refuses to go away is the notion of “change your password frequently”.

Periodically Changing Your Password – A Terrible Idea

My wife works for a major corporation, and they’ve given her a company laptop with state of the art security, VPN, and encryption. All good stuff. But their password policy sucks. They require her to change the password every month. Every month!

This, along with some basic requirement to have a “special character” is the extent of their password protection system. Needless to say, this is bad.

Humans Are Bad at Randomness

There is a yawning gap between what people think is a random output of a stochastic process, and what is actually random. In people’s minds, a series of random coin tosses looks far more uniform than it is in reality. So when you ask users to choose a “random” password, it’s never really random.

Nevertheless, people try their best. They throw in some special characters, maybe try and do something clever like replace “S” with “$”. But for computer programs that specialize in guessing passwords, these are pretty pathetic attempts to create randomness. It’s child’s play to break them.

Moreover, truly random passwords are hard to remember. By definition, a random string of symbols has no “pattern” that can aid in memory recall, so asking users to do this is a big mental effort.

Frequent Password Changes Make Things Worse

Considering the above, it’s an absurd request to make people choose random passwords every month. It’s not going to happen.

What will happen, is that people’s passwords will become even less random! They’re going to incorporate things like the year and the month into their password to try and keep track of which password they’re using at any given time. This is an absolute gift to hackers who are generally thrilled when people use such patters to help them reconstruct their password!

Have ONE Strong Password with 2FA if Necessary

Far more solid is having one truly random password, and keeping it constant throughout the user’s life – unless there’s something like a breach. And even with a breach, you should be storing the passwords in a hashed (and salted) form, not in plain text!

Teaching users proper password sanitation measures like never giving your password over the phone, or entering them into untrusted websites is a far more robust practice than requiring them to change it periodically. Maybe you can build an app for your website that requires users to log into it from there, so they don’t risk going to a malicious website.

This puts a lot of the pressure of password sanitation on the enterprise. Which it should, considering that it’s your data and your systems that you want to protect.

2FA is a Useful Add-on. But Not Stand Alone

Using an authenticator app or key (not SMS) is a good way to insert an additional protection layer. Just keep in mind that you need a safe way for a user to log in if they happen to misplace or lose their 2nd authentication device. This often comes down to a password, or knowing some secret information in the first place, so we’re back to square one.

So 2FA can be enormously helpful, but it’s not a magic bullet!

Bhagwad Park Profile Picture
Bhagwad Park

I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!

Related Posts

How to Protect Your WordPress Website from Hackers

Learn how to protect your WordPress website from hackers with real-time malware protection, brute force prevention, and advanced firewalls. Discover how NameHero’s CloudShield can secure your site automatically and keep your business safe.

How to Protect Your Business Against Website Spoofing

Check out our guide to learn how website spoofing works, how it's different from domain spoofing, and several methods to help you tackle it.

How to Update an SSL Certificate

Let's take a closer look at why you should update your SSL certificate. Then, we’ll discuss the steps to do it manually and automatically!

What Is a Spoofing Attack? (And Why You Should Know)

If you run a website, you might already be familiar with common threats like ecommerce fraud or brute force attacks. Taking the necessary precautions against them can help you keep your site safe. However, there’s one type of threat that’s more difficult to detect (and prevent) than others – spoofing attacks. Spoofing is when someone […]

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Follow & Subscribe

Exclusive promos, content and more!


Most Popular Posts

NameHero’s Recommended WordPress Plugin and Theme Setup (2024)

WordPress Hosting vs. Web Hosting – What’s The Difference?

How To Increase The InnoDB Buffer Pool Size

How To Fix A Stuck All-in-One WP Migration Import

How To Add A Subdomain In Cloudflare

Top Categories

  • WordPress
  • WordPress Tutorials
  • Enterprise Hosting
  • WooCommerce
  • Web Hosting
  • Resellers
  • Website Security
  • Website Development
  • Website Performance
  • VPS Hosting
  • SEO Tips
  • Announcements
  • Domain Registration
NameHero

NameHero® proudly provides web hosting to over 40,000 customers with 99.9% uptime to over 750,000 websites.

  • Master Card
  • Visa
  • American Express
  • Discover
  • Paypal
Products
  • Web Hosting
  • VPS Hosting
  • Flex VPS Hosting
  • WordPress Hosting
  • WooCommerce Hosting
  • Reseller Hosting
  • Enterprise Hosting
  • Email Hosting
  • Game Hosting
  • Domains
  • Website Builder
Help & Support
  • NameHero Blog
  • NameHero Gaming Blog
  • Support
  • Help Center
  • Migrations
  • Affiliates
  • Gaming Affiliates
  • Call 1-855-984-6263
Company
  • About Us
  • Contact Sales
  • Reviews
  • Uptime
  • We're Hiring

Copyright © 2025 Name Hero, LLC. All rights reserved.
NameHero® is a registered trademark.

  • Privacy Policy
  • Terms of Use
  • Acceptable Use Policy
  • Payment Policy
  • DMCA