Angesichts der vielen Konten, die die meisten Menschen haben, ist es nicht sinnvoll, die Passwörter häufig zu ändern.
IT Security Why the "Change Your Password Day" is Outdated
From a research perspective, frequent password changes are a relic and no longer practicable in view of the large number of accounts we have. What experts currently recommend.
Every year on February 1st, numerous media outlets and social networks encourage people to change their passwords in observance of "Change Your Password Day." However, from the perspective of contemporary cybersecurity research, this advice is now outdated. Since 2020, the Federal Office for Information Security (BSI) has been recommending a shift in focus towards strong passwords, two-factor authentication (2FA), and passkeys.
Prof. Dr. Angela Sasse, spokesperson for the Excellence Cluster CASA and chair of Human-Centered Security (Faculty of Computer Science) at Ruhr University Bochum, is one of the leading voices behind this paradigm shift. She explains: "The regular changing of passwords is a relic from the early days of cybersecurity and is no longer practical today. Most people manage dozens of accounts. When a password is reused across multiple accounts and attackers gain access through data breaches or phishing, massive risks arise."
Empirical studies speak against regular password changes
From empirical studies, the researcher knows: When people are required to change their passwords regularly, they tend to make only minimal adjustments or reuse passwords. "This does not have a positive impact on security," warns Angela Sasse. Instead, it is more sensible to change passwords only when there is a suspicion of misuse.
Slow Implementation in Practice
Why do practices like those on "Change Your Password Day" persist despite this research? Angela Sasse attributes this to a gap between research and practice: "Research has already developed numerous solutions to make cybersecurity more user friendly and more effective – such as passkeys, password managers, or biometric methods. Yet, these findings are often implemented only reluctantly." The reasons for this are currently being researched at her department. "Initial results show that most companies follow the motto 'If it ain't broke, don't fix it' – they only invest in new, useful solutions after a security incident or when customers start to leave," says Sasse.
How Users Can Take Action
Even if today should not necessarily be used to change your password, there are useful alternatives: Switching to passkeys, for example, provides not only a user-friendly but also a secure login method.
Passkeys are secure because they are based on asymmetric encryption: The private key remains on the device, while only the public key is shared with the service. Even if a password or PIN is compromised, the passkey is protected by biometric authentication and hardware security (e.g., Secure Enclave). Since the private key never leaves the device, passkeys are highly secure against phishing and remote attacks.
