Skip to Main Content

Passwords, Two-Factor Authentication, and Security Questions

This guide goes into more detailed looks at passwords, password managers, and two-factor authentication.

The Lifespan of Passwords

For some site/services, changing out passwords is built in for you. Some will expire passwords every three months, every six months, or every year. Others will prompt you to change your password if something has happened like a security breach. Others will allow you to use your passwords indefinitely. 

There is no exact science to how often you should change your passwords. Though some online sources recommend very short password life cycles (once per month), this tends to increase frustration for the end user (i.e., you) while actively encouraging the sort of bad habits that actually make passwords easier to crack, overall, and increases the chances that you will forget your password and have to spend time going through "Forgot Password?" links. 

LastPass, a company that creates a popular password storage tool, lists out some of the reasons to change your password in their article, "How often should you change your password?":

  • After a service discloses a security incident. 
  • There is evidence of unauthorized access to your account. 
  • There is evidence of malware or other compromise of your device. 
  • You shared access to an account with someone else and they no longer use the login. 
  • You logged in to the account on a shared or public computer (such as at a library or hotel). 
  • It’s been a year or more since you last changed the password, especially if you don’t have multi-factor authentication enabled. 

They further recommend, in that article, to perform a "password audit" and to identify accounts with important (i.e., high-pressure passwords) and accounts with old, weak, or known-to-be-compromised passwords. 

Generally, speaking, you should change out your passwords, but often you have the chance to wait until you are in a time/place to do so where you can take time to create good passwords and make sure that you are able to recall them properly. The only time you should "rush" changing a password is if you have active evidence that there is some sort of breach (items you did not purchase show up in your online cart, for instance).

See also:

Password Pressure and Seldom Used Accounts

One concept that is vital to proper password management is the pressure that is applied to any given password. If a password is on a site/service that is vital to you or a site/service that does not have many built in features to protect your account (or a site/service that has a history of being compromised), you should consider the password to be under increased pressure. 

Passwords under a lot of potential pressure should have greater strength. 

What this means for you is that you should identify which accounts would be particular heinous to have compromised - and which accounts have fewer built in protections - and create better (longer, more unique, more rapidly changed) passwords for those accounts. The advantage of this is that you can prioritize these passwords, dedicate more mental energy to them, and reduce the stress of creating/recalling all passwords equally. 

There is a caveat though, if you reuse passwords or have personally identifying information on weakly protected accounts, said information can be used to crack your more vital accounts: snippets of addresses, birthdays, credit card numbers, email addresses, family members, and so forth. Considering the pressure on a password can help to mentally manage the task, but should not be the only consideration for only safety. 

If you have accounts you seldom use, or no longer care about, you still need to update the passwords regularly to stay safe. If you do not wish to do this, consider deleting them.

Two factor authentication can help reduce the pressure applied to passwords. Conversely, passwords used to protect other passwords (such as password managers) should be considered to be under the greatest possible pressure.