How often should you change your passwords?

November 12, 2018 at 11:00 p.m. | Updated November 13, 2018 at 9:51 a.m.

by Jim Winslett

FILE - This June 19, 2017, file photo shows fingers on laptop keyboard in North Andover, Mass. Americans appear to be heeding expert advice for keeping their passwords and accounts safe. A new poll by The Associated Press and the NORC Center for Public Affairs Research finds that 41 percent of Americans use unique passwords for most or all online services. (AP Photo/Elise Amendola, File)
FILE - This June 19, 2017, file photo shows fingers on laptop keyboard in North Andover, Mass. Americans appear to be heeding expert advice for keeping their passwords and accounts safe. A new poll by The Associated Press and the NORC Center for Public Affairs Research finds that 41 percent of Americans use unique passwords for most or all online services. (AP Photo/Elise Amendola, File)

Q: Internet security and change of passwords; how often does BBB suggest passwords be changed?

A: Good question and requires serious consideration. When was the last time you reviewed the passwords to your bank or credit card accounts, email or social media accounts? A year ago? Five years ago? Does it matter? Honestly - yes, but there is also such a thing as changing them too often.

Passwords should be changed if they are all the same, if they are too easy to guess, or if they are forgotten or compromised. However, changing your passwords too often isn't a great idea either because they can easily be forgotten. Even the Federal Trade Commission admits that people don't need to change their passwords as often as they think.

BBB is here to tell consumers what makes a good password and why using multiple passwords is important.

Think of your passwords as walls. Think of passwords like a wall between free access to your personal information and the world. If you put up a strong wall, it will be difficult for others to break down. If you put up multiple strong walls for different information, they will be even harder to break down. But if you only put up one weak wall, anyone can break it down.

Don't make your passwords easy to guess. An example of a weak password is one that is easy to guess - information that anyone can find. A strong password has at least twelve characters, mixed with uppercase and lowercase letters, numbers and symbols.

Commonly used passwords are your pet's name, your mother's maiden name, the town you grew up in, your birthday, your anniversary, etc. Surprisingly, the answers to these common passwords can typically be found online. Even if you don't consider yourself an active user of social media or the Internet, your information is out there on one forum or another. Even for passwords that require numbers along with letters, people tend to stick to simple patterns like 0000, 1111, 1234, etc.

Make them creative. Running low on creative ideas for different passwords? Try using song lyrics. Not only is it basically impossible for hackers to guess what song you are using, it's even harder for them to guess which lyrics you're using on top of that.

Use a "passphrase." Instead of using a single word, use a passphrase. Your phrase should be relatively long, around 20 characters, and include random words, numbers and symbols. Use something that you will be able to remember but others could not guess; such as PurpleMilk#367JeepDog$.

Use multiple passwords. Using different passwords for different accounts is also important. While it may be easier to remember one password for every account, it's much easier for hackers to break down one wall rather than multiple walls. If hackers can figure out one password, even if it's to something harmless like your Instagram account, they then know the password to every single account you own. This includes websites where you shop online, banking accounts, health insurance accounts, email accounts - you name it.

Use multi-factor authentication. When it's available and supported by accounts, use two-factor authentication. This requires both your password and an additional piece of information when logging in. The second piece is generally a code sent to your phone, or a random number generated by an app or token. This will protect your account even if your password is compromised.

Consider a password manager. A written list would be best, but if you're worried of losing it, write a list on your phone and label it as something other than 'PASSWORDS'. Keep the list updated, organized and secretive.

Still not convinced? Consider a reputable password manager to store your information. These easy-to-access apps store all your password information and security question answers in case you ever forget. However, don't forget to use a strong password to secure the information within your password manager.

Select security questions only you know the answer to. Many security questions ask for answers to information available in public records or online, like your zip code, mother's maiden name, and birth place. That is information a motivated attacker can easily obtain. Don't use questions with a limited number of responses that attackers can easily guess - like the color of your first car.

If you received notification from a company about a possible breach, it is always best practice to change that password and any similar passwords immediately.

Jim Winsett is president of the Better Business Bureau in Chattanooga

Upcoming Events