December 04, 2009, 7:18 PM — WHEN IS THE BEST TIME TO CHANGE YOUR PASSWORD? That depends on how "strong" your password is. A strong password is one that is at least 8 characters long with mixed upper- and lower-case letters, some non-letter characters, and that doesn't follow a pattern that could be easily guessed (for example "12345678"), says Gene Spafford, professor with the Center for Education and Research in Information Assurance and Security (CERIAS) at Perdue University.
Tip: Assuming you've picked a strong password and you're not reusing it over and over, it should be changed roughly every one to three months; often enough that the password is safe from guessing or a brute-force attack, but not so often that you're constantly forgetting it, says Spafford. Corporate users shouldn't be forced to change passwords so often that they give up taking the time to create strong passwords and chose bad ones instead.
Did you know? A PC that isn't connected to the Internet or other network doesn't need a password at all, he says. One that is on a network and contains highly valuable information should skip password protection altogether and use one-time keys or biometrics for access instead, Spafford adds.
This is part of ITworld's "Best Time" series. See the full list of Best Times to do all sorts of technology-related things. Think you know the "Best Time" to do something? Send to firstname.lastname@example.org.