Changing your password regularly makes you less safe, apparently

logon password

Here’s an interesting view. According to Paul Edmonds, head of tech at the National Cyber Crime Unit, changing your password regularly makes you less safe. Not more.

That’s a surprising opinion given we’re always being told to change our passwords regularly to keep attackers at bay. It’s the equivalent of changing the locks. If a burglar manages to steal your key, your house will remain safe. And we see it every time a major corporation suffers a security breach: “While we’re confident no data has been compromised, we advise that all our customers change their passwords.”

But Edmonds’s view isn’t without reason — if you need to change your password regularly, you’re probably going to pick one that’s easy to remember. And what you gain in ease of recollection you sacrifice in password complexity, making it easier for your would-be attacker to effectively pick your lock.

That’s the trouble with passwords — we’re all human. If we need to keep changing our passwords we’re much more likely to forget what we’ve changed it to — especially if we use unique passwords for different logins, like for Facebook and your corporate network at work.

While Edmonds certainly has a point, we at IS Decisions think that the problem with passwords is not the password itself (irrespective of what you change it to and how simple it is), but with the way authentication methods rely on just a password alone.

Before you start thinking that we’re going to shout about multi-factor authentication from the rooftops — because we’re not — there’s a much simpler and better way to ensure that passwords remain safe, even if an attacker does manage to crack them.

The secret is context-aware security. Imagine this. A burglar steals your house key. When they attempt to get in via the front door, the lock won’t turn. Why? Because you’ve got a camera system there that recognises that the person using the key isn’t you or anybody else that you live with. The system has also noted that it’s 03:00am. You’ve never tried getting home at that time in the morning… The system knows something’s up, and sends you an alert directly to your smartphone straight away.

Context-aware security works in exactly the same way. If an attacker gets their hands on your password — whether it’s a simple one like 123456, or a complex one including a mixture of uppercase, numbers and special characters — that attacker won’t be able to use it. With context-aware security, you can restrict access to certain geographies, employee-owned devices, IP addresses, particular workstations, times of day, and many other factors.

To view the video, please accept all cookies.

Then, if someone attempts to log in with a legitimate password, the system will automatically deny access, and alert the IT team to the attempt, and the owner of the password itself to say something dodgy just happened.

And just to be safe, it’s probably a good idea to change your password at that point…

Enter stage right: UserLock

IS Decisions’s UserLock uses context-aware security in this way to add protection to the use of passwords. Unlike multi-factor authentication, which seriously hampers employee productivity, UserLock works in the background to offer an unparalleled degree of protection and visibility into who is logging into your corporate network, where from, what device, and much more.

It’s the perfect tool to protect the sanctity of your data from phishing or ransomware.

Watch how easy it is to set logon restrictions with UserLock

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.