We mentioned in a previous post that when security is too complex it has the unintended consequence of becoming less secure as people are forced to write down passwords, access codes and other ‘memorable’ details which it would be impossible for other people to guess but you should have memorised.
And now, finally, Microsoft has decided that regularly changing passwords is no longer required for their products which had previously still clung to the notion that getting rid of a perfectly good secure password for another password which you’ll have to remember is outdated. Of course this doesn’t give me back access to accounts which I’ve changed passwords for, promptly forgotten and, not having prepared for such an event properly, lost access to the tool, but at least it won’t happen again!
With the advent of password management tools it’s no longer necessary for our human brains to recall long, complex codes which include upper and lower case letters, numbers and special characters. Instead we can get technology to do it for us, meaning that we can make any networked device incredibly secure. Having to arbitrarily change these passwords every few months would mean having to needlessly change a raft of different log in details.
Passwords are a recurring issue for devices which should naturally be secured against any form of hacking or unwanted access. Smart technology requires that each and every device is networked and connected to every other in order for them to function correctly. And while most devices won’t need to be directly connected to the internet, they will be enabled with a username and password. Unfortunately it was found that a range of budget LED lightbulbs were storing passwords in plain text.
The fact that any networked device is storing details such as passwords in text which anybody can read is not a minor security breach. If you throw out a faulty or broken lightbulb, something that happens thousands of times every day, no biggy. If you throw out a device which has passwords stored on it which anybody with a whim could use to hijack your smart home network is a problem. As we become ever more reliant on Smart Home technologies such as environmental controls, access control, CCTV camera monitoring, and fire and gas alarms the fact that someone could pick up something as disposable as a broken lightbulb out of the bin and then get access to all those devices is concerning.
Security Through Simplicity
The thing about security is that it should be simple from the point of view of the end user, and baffling to those who would try to break it. Thanks to this, Microsoft’s policy of making users change passwords was a counterproductive failure. Most people, when forced to change a password they were comfortable with would choose another which was significantly poorer as it was memorable or wrote it down. Low quality passwords can easily be guessed if the person knows you or broken by software designed to do so.
Having to memorise a new password is inconvenient, annoying, and counterproductive. If a password is secure there is no reason to change it on a regular basis. Sure, change it if you think someone else has got hold of it, or if you chose to give it to someone for access and now you no longer want them to have your permission. However, changing it for no other reason than it’s old is nonsense. Indeed, if you’re being asked to change your password many times a year, and if additionally you’re not allowed to use one you’ve used before, the temptation to write it on a Post-It and stick it to your monitor is almost overwhelming!
Frustration and anger could make you irrational and do exactly that. Indeed, if you share accounts with other family members such as your Smart home admin or, more importantly, a joint bank account, you could easily be tempted to write down a password so your spouse or partner knew how to log in next time they needed to bank. Hence why banks don’t ask you to change your password regularly.
However, one problem that regularly changing passwords would solve is the habit many of us have of using the same password for each and all of our online accounts, services and tools. If you’re one who uses only one or two passwords for everything then it makes cracking your entire connected life that much easier. If you have at a business where several employees need to have access to the company’s social media, emarketing and website it makes sense on one hand to have a single username and password everybody knows. However, despite having absolute trust in your current and former employees it’s likely one or other of them will write it down, you might even write it down and put it in onboarding documents which could easily be lost or stolen.
Don’t do that.
Again, password managers can let anyone using one of your computers access your sites and tools without ever actually seeing what they are and these passwords can be several dozen random characters long, making them impossible to memorise and hard to write down and smuggle out. And if there are any security breaches the password manager admin can change any or all of the passwords with just a few clicks.