By J. Carlton Collins at Journal of Accountancy on January 1, 2019
Q. We are developing new security policies for our offices, and we'd like your recommendation as to how often we should require employees to change their passwords?
A. There are approximately 330 million people in the United States and, according to the Privacy Rights Clearinghouse, nearly 9,000 data breaches affecting U.S. individuals have been reported since 2005 (see privacyrights.org/data-breaches), in which more than 11.2 billion verified identity data records have been stolen — this equates to portions of each American's identity being stolen an average of 34 times since 2005. Because so many logins and passwords are routinely stolen and put up for sale on the dark web, it's probably a good idea to change all your passwords at least once a year, if not more frequently. To be clear, this means you should sit down with your list of passwords each year, log in to every account you have, and change the passwords for each of those accounts. ID thefts don't just occur when outside hackers break into corporate computers; most ID thefts occur from within, such as when a trusted insider copies and sells crucial customer login, password, and identity information on hacker-friendly websites.
Because password management can be such a daunting process, you might want to consider using a password management tool to help you manage and periodically update your passwords. You can choose from among many well-regarded password managers, including 1Password, Dashlane, Keeper, LastPass, LogMe Once, Password Boss, Sticky Password, and Zoho Vault. Nearly 20 years after its launch, RoboForm (roboform.com; priced starting at $23.88 per year) remains representative of the genre.