One of the common pieces of account security advice is that users should change their passwords regularly.
Why was the advice changed?
The advice to regularly change passwords was originally implemented to help increase security.
From a purely logical perspective, the advice to regularly refresh passwords makes sense.
The real-world experience is slightly different though.
The problem with incremental passwords like Spring2019!
is that they are easily guessed and then make it easy to predict future changes too.
For example, in a worst-case scenario, a hacker could compromise the password Spring2019!
within a few months of it being valid.
At this point, they can try variants with Fall instead of Spring and theyre likely to gain access.
and think that theyre secure.
The hacker, knowing the pattern may well try this if they are able to gain access again.
Whats the new advice?
Combined with this are a number of other recommendations aimed at encouraging the creation of stronger passwords.
and Password1 which meet many complexity requirements.
The cybersecurity community almost unanimously agrees that passwords should not be expired automatically.
