I update my passwords from time to time. I don't trust the organizations will always say if there is breach, know there is a breach, or actually know how far and wide a breach went.
Do you trust them to salt and hash your password using bcrypt? (rather than store it in plain text). Do you use a password manager to generate strong passwords that are at least 16 chars long? If you can answer yes to both, then it doesn't actually matter if your hashed password was part of a breach or not, the hackers won't be able to brute force it. (Of course if hackers manage to steal the private key with which your session cookie is encrypted, they can still log in as you - but then changing your password won't help either).
This seems reasonable.
How often do you change you passwords?
Feels like it would get extremely tedious if you have more then a few accounts though, no?
This only applies to banking and email passwords. And most last over a year. I don't have a schedule, just one morning I wake up and go, 'oh yea, I've been using that password since 2019...'.
Yes. You can set your passwords to expire after a date (or a period) in KeePassXC. They will show up in your Health Check reports along with weak or non-unique passwords, possible leaks and more
For certain sensitive websites (e.g. domain registrar) I change passwords once a year or so, because there's really no guarantee that administration would 1) notice a breach early or at all, 2) fully understand the scope/severity, or 3) even notify their users about a breach.
Yes. For sites, desktops, everything that have some rule stating that passwords expires after 30/90/180 days, must not repeat the last 3/5/10 passwords, must have at minimum/maximum n characters, must/must not contain special symbols or some subset of it.
My current work forces updates every 3 months. It seems more like a security issue requiring this reset so often.
This is because they create another problem when anyone you talk to will say they have their password and just increment a number for every password change. That way they’re not having to remember a whole new password every few months. So there’s never much of a change in anyones password during these rotations.
I think this is an issue for things like a system login where you can't necessarily use 1Password or your equivalent. I have my work domain password in 1Password, and it's a huge pain in the ass when I need to use it in that context.
However, if you use a password manager, and have access to it, I think forcing key rotation on a short schedule actually increases security. The downside of course being that most people don't use a password manager, and most people use the same relatively unsecure password for everything.
NIST actually changed their recommendation relatively recently and no longer suggests periodic password changes without reason.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Yes, and I believe they initially made this change in June 2017 (almost 5 years ago now). IT audit/compliance is typically 5 to 10 years behind best security practices and some standards are even slower to catch up.