Change my password? AGAIN?

Every year at this time, I have to fill out my firm’s cyber insurance application — and every year they ask whether we encourage strong passwords and change them often. This question annoys me tremendously, because we really shouldn’t be changing passwords often. We should instead be choosing authentication processes that appropriately match site risks; using a password should be the last thing you want to rely on.

First, think about the information and data a website is keeping on you. The sites we want to offer the most protections often have the weakest. Where you can, always add two-factor authentication to a site’s access. (Not all multi-factor authentication is created equally, but some sort of multi-factor is better than none. If it encourages attackers to go elsewhere, it’s done its job.

Banks and financial organizations often do slow rollouts of authentication software, so you have to settle for a username, a password, and then a two-factor authentication tool — typically a text sent to your smartphone. While smartphone SIM chips can be cloned (so attackers can spoof your phone and intercept texts), the vast majority of us are still better off with this process. Relying only on a username and password for bank access puts your account at risk.

To be fair, not all passwords are created equal. If you have reused a password on another website or for a different bank account, you’re more at risk. Attackers often steal or purchase a repository of hacked passwords or “hashes” of passwords and then try to reuse them to gain access to other sites. If you’ve ever received a password reset notification — and you didn’t attempt to sign into the account — that’s probably an attacker trying a password-stuffing attack on site. So don’t reuse the same password anywhere.

For years, online users were told to vary their usernames to see whether a site was selling your information elsewhere. Now, I see that same sort of recommendation for choosing passwords or passphrases. There is a very funny video online that nails the process people use to pick passwords. You started by picking a password — and then use it everywhere. Then, when a site says that one isn’t good enough you add another letter. Then you need a special character (like the exclamation mark). The truth is: our brains can only hold so much information, which is why we tend to re-use the same password, or a variation of it, on multiple sites.

Microsoft often recommends the use of PINs over passwords. It argues that a PIN is specific to the device, so if an attacker steals your PIN they have to steal the device, too. There’s one problem with this argument. I have several devices that require a PIN, and I have to admit I use the same PIN on all of them because I can’t remember PINs any better than passwords. According to Microsoft, the advantage of a PIN is that “when the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication.” A PIN is backed up by the Trusted Platform Module (TPM) chip on the computer. (If you wondered why you had a Windows 10 machine that demanded you use a PIN instead of a password, it’s because the operating system registered that you had the necessary hardware to support the process.) If you don’t need or want to have a PIN you can remove it. Press the Windows key and the I key to open settings. Choose accounts and then click on continue. In the left panel, click on sign-in options. On the right panel, choose “Remove,” under PIN section.

Efforts to improve online security are spreading. Intuit recently started requiring an online password, even to log into the desktop version of QuickBooks, its accounting and bookkeeping software. Those with a QuickBooks file that includes sensitive information such as payroll or credit cards must also sign in with an online account first. For years desktop users have only needed a username. Even so, many users felt the change seemed heavy-handed, especially when combined with a mandate to change passwords every 90 days. (Here again is that idea that changing passwords is preferable to better passwords or using the Google authenticator app to access your Intuit account.

Even if you’re a small business, you can add two-factor authentication to your own computer access to bolster security. Duo.com, for example, offers DUO free for deployment with fewer than 10 users. It provides a two-factor prompt to a smartphone or even the Apple Watch. I use it in my office for remote access to ensure that when anyone connects from outside the office, they have to respond to a prompt on their phone to gain access. Its ease of use means I can ensure that remote access is secure, and I can avoid excessive password changes.

If you’re a vendor or a cyber insurance agency, listen up! Stop asking me to change my password. Ask me instead what my favorite multi-factor application is. That’s the quickest way to improve security for most users.