Changing Passwords Periodically Doesn’t Increase Security

Does your organization or some financial website require you to create a new password periodically? This practice was recommended long ago, but some organizations haven’t kept up with current recommendations that discourage such policies. If you’re bound by a password expiration policy, you can use this article to encourage your IT department or financial institution to update its approach to password security.

The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Over time, security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

Of course, if there’s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately—that’s entirely different than requiring passwords to be changed on a schedule.

Interestingly, NIST also doesn’t recommend password composition requirements—such as requiring the password to contain a letter, number, and special character—because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.

If you’re forced to change a website password periodically, it’s easiest to use a password manager to generate and enter a new strong password, and you won’t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.

(Featured image based on an original by iStock.com/designer491)

Social Media: Security experts no longer recommend password expiration policies that require users to change their passwords periodically

Use 1Password to Enter Your Mac Login Password

We think of 1Password as being helpful for entering passwords on websites and in iPhone and iPad apps. But its Universal Autofill feature has a hidden capability that lets 1Password enter your Mac login password when you have to provide it to change certain system settings, install apps, format drives in Disk Utility, and more. (But it won’t work to log in at startup before 1Password is running.) To turn this feature on, click the New Item button in 1Password, search for and select “Mac login” ➊, give it a name that will sort alphabetically to the top, like “2020 27-inch iMac” ➋, enter your password, and click Save ➌. From then on, whenever you’re prompted for your Mac login password ➍, press Command-\ (Backslash, located above the Return key), and then click the desired login or press Return to select the topmost item ➎.

(Featured image based on an original by iStock.com/ipuwadol)

Social Media: 1Password is tremendously helpful for entering website passwords, but a little-known feature also enables it to enter your Mac login password for changing system settings, installing apps, and more.

How to Search Directly in Your Favorite Websites from Safari’s Search Bar

We’re all accustomed to searching the Web generally in Safari by typing in the search field and pressing Return or tapping Go. Most of us are also familiar with the search suggestions that Safari shows below the search field as we type.

But did you know that Safari has a feature that lets you use the search field to search directly within your favorite websites, so you don’t have to wade through unnecessary search engine results or navigate somewhere manually before searching? It’s called Quick Website Search and is available for the Mac, iPhone, and iPad. It’s helpful for websites within which you search often. For example, we often search for technical information on Apple’s website. You might find the feature helpful for searching Amazon or another shopping site, a help center, or an events calendar.

All you have to do to prime Quick Website Search’s pump is search a website using its internal search option. Look for a magnifying glass or Search option, enter a term in the search field, and submit the search. It doesn’t matter what you search for—all you’re doing is teaching Safari how to search on that site, and it will remember the site from then on.

Later, to look for pages only from that site, enter three or four characters from its name (don’t accept any auto-completions!), a space, and then your search term. Don’t press Return or tap Go, however. Instead, pick the suggestion from the suggestion list under the “Search sitename” heading.

Safari then sends the search directly to the site in question, so instead of results from Google or your default search engine, you’ll see the results on the desired site.

The process is the same on the iPhone and iPad, although Safari on those platforms doesn’t remember websites you’ve searched as reliably.

On the Mac, you can see which sites Quick Website Search has remembered and remove them by opening Safari > Settings > Search and clicking Manage Websites next to Enable Quick Website Search.

On the iPhone and iPad, open Settings > Safari > Quick Website Search to see and remove the remembered sites.

This way of searching within a website can be a big productivity win, so it probably won’t take long to get used to this new way of jumping into your most used websites’ internal search engines.

(Featured image based on an original by iStock.com/YiuCheung)

Social Media: Do you frequently use the internal search engine on a website? You can now search that site faster using Safari’s Quick Website Search feature, which automatically learns which sites you search.