IS Decisions logo

IS Decisions Blog

Changing your password regularly makes you less safe, apparently

There is a much simpler way to handle password security. Here's how to keep attackers from gaining access, even if they get their hands on a valid password.

Published May 9, 2017
Changing password

Here’s an interesting view. According to Paul Edmonds, head of tech at the National Cyber Crime Unit, changing your password regularly makes you less safe. Not more.

That’s a surprising opinion given we’re always being told to change our passwords regularly to keep attackers at bay. It’s the equivalent of changing the locks. If a burglar manages to steal your key, your house will remain safe. And we see it every time a major corporation suffers a security breach: “While we’re confident no data has been compromised, we advise that all our customers change their passwords.”

Changing passwords isn't enough

But Edmonds’s view isn’t without reason — if you need to change your password regularly, you’re probably going to pick one that’s easy to remember. And what you gain in ease of recollection you sacrifice in password complexity, making it easier for your would-be attacker to effectively pick your lock.

That’s the trouble with passwords — we’re all human. If we need to keep changing our passwords we’re much more likely to forget what we’ve changed it to — especially if we use unique passwords for different logins, like for Facebook and your corporate network at work.

While Edmonds certainly has a point, we at IS Decisions think that the problem with passwords is not the password itself (irrespective of what you change it to and how simple it is), but with the way authentication methods rely on just a password alone.

Before you start thinking that we’re going to shout about multi-factor authentication (MFA) from the rooftops — yeah, we do talk a lot about MFA as a solution to credential compromise. But the secret sauce to MFA is actually something else. And it keeps passwords safe, even if an attacker does manage to crack them.

Enter, context-aware security

The secret is context-aware security. Imagine this. A burglar steals your house key. When they attempt to get in via the front door, the lock won’t turn. Why? Because you’ve got a camera system there that recognises that the person using the key isn’t you or anybody else that you live with. The system has also noted that it’s 03:00 am. You’ve never tried getting home at that time in the morning… The system knows something’s up, and sends you an alert directly to your smartphone straight away.

Context-aware security works in exactly the same way. If an attacker gets their hands on your password — whether it’s a simple one like 123456, or a complex one including a mixture of uppercase, numbers and special characters — that attacker won’t be able to use it. With context-aware security, you can restrict access to certain geographies, employee-owned devices, IP addresses, particular workstations, times of day, and many other factors.

Then, if someone attempts to log in with a legitimate password, the system will automatically deny access, and alert the IT team to the attempt, and the owner of the password itself to say something dodgy just happened.

And just to be safe, it’s probably a good idea to change your password at that point…

Video thumbnail

How UserLock MFA and contextual access management prevents credential compromise

IS Decisions’s UserLock uses context-aware security in this way to add protection to the use of passwords. Unlike most multi-factor authentication, UserLock MFA doesn't get in the way of productivity. And context-based access restrictions work in the background to offer an unparalleled degree of protection and visibility into who is logging into your corporate network, where from, what device, and much more.

It’s the perfect tool to protect the sanctity of your data from phishing or ransomware.

Watch how easy it is to set logon restrictions with UserLock

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial