Regular Change of Internet Passwords Not Necessary

The communications ministry in Japan has reportedly decided that it is not necessary to keep changing internet passwords regularly. The ministry instead advises citizens to use one hard-to-guess password per online account.

The Asahi Shimbun reports- “It is not necessary to regularly change Internet passwords, the communications ministry has decided in a rejection of conventional wisdom, but advises instead that citizens should use one hard-to-guess password per online account.”

The report further says- “The ministry has deleted the line, “Let’s change your password periodically,” on its “information security site for citizens” website, which instructs how to safely use the Internet. The website now states, “No need to change your password periodically,” since it was updated in March.”

This particular change in the official advice has reportedly been made based on a recommendation that the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) had made in its information security handbook, which has been published in late 2016. (The NISC is an organization in charge of the country’s internet security).

The Asahi Shimbun also quotes an NISC official who says- “As people have been required to change passwords, they tend to choose ones with simpler character combinations, which are easier to guess. We believe that it is more important to set up complicated passwords and not to reuse them (for more than one system).”

In 2003, the communications ministry had for the first time called for internet users to change passwords periodically as one of the key methods of limiting damages in case a password security breach happens. The recommendations of the NISC are based on global trends, including a research report that has been published by the University of North Carolina, in 2010.

A research team at the University of North Carolina had studied about 7,700 accounts of students, asking them to keep changing their passwords every 90 days. They noted that when the passwords were changed, the students would tend to delete just one character or make some minor changes; these changes wouldn’t be very effective and anyone could guess out the new passwords based on the earlier ones.

In addition to the University of North Carolina researchers, other researchers too have emphasized on this aspect- that there’s no need to change passwords regularly. Researchers have come up with lots of evidence that support this stand. Despite all this, there are many organizations that still continue to urge their people to change passwords periodically so as to ensure maximum internet security.

Well, whether or not people change their passwords regularly, they should ensure that their passwords are strong and hard to guess. Moreover, they should avoid simple character combinations for passwords, like 123456 or 123456789, or easy to guess words like ‘password’, ‘qwerty’ etc. Some experts even say that when it’s critical data that’s to be protected, it’s always good for complicated, long passwords and even change them periodically, making sure the new passwords are totally different from the earlier ones.