Changing passwords often and making them as complex as possible has been the go to method to lessen account vulnerability till now. In fact most organisation mandate their employees to change password as often as possible. But a recent advisory from Communications-Electronics Security Group (CESG) and UK intelligence says changing passwords too often might actually be counter productive.
The reason is that if a password is changed too often, users tend to keep passwords that are easier to remember. They might end up using passwords that are similar to their old password. It makes it easy to break them via guessing or brute force attacks. Social engineering also becomes a significant problem. If users are forced to keep complex passwords, they may not be able to remember it and write it down. Writing down passwords also increases the risks of security attacks significantly.
NSA contractor Edward Snowden had suggested in 2015 to make a shift from passwords to passphrases. He surmised that even a complex 8 character password can be easily brute forced under a second using a fast computer. “The best advice here is to shift your thinking from passWORDs to passPHRASES. Think about a common phrase that works for you. It’s too long to brute force and also make them unlikely to be in the dictionary.”