A commonly recommended “good practice” for security is that we should change our passwords regularly. There is some debate regarding how frequently it should be. The period usually ranges from 14 days (a strict policy) to 90 days (a liberal one), while some security experts say 25 years should be fine. Technically, there is no point in changing your passwords unless your password is compromised or you have reasons to believe it may be compromised. Some systems, such as banks, force password change upon their users every few weeks. In addition to being annoying, such policies have a detrimental effect on security, according to one blogger.
The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they're more likely to choose easy-to-remember -- and easy-to-guess -- passwords than they are if they can use the same passwords for many years.
The primary reason to give a password an expiration date is to limit the amount of time a lost or stolen password can be used by someone else. If a hacker gets your password either by guessing or stealing it, he can access your network as long as your password is valid. If you update your password every 90 days, the most he can get is a quarter of a year’s worth of benefit out of it, assuming the attacker is a passive one who simply eavesdrop over time without alerting you that he's there. Practically, that doesn’t happen. An attacker who gets the password to your bank is going to empty out your bank account, and 14 days is more than enough time to do it.
Anyways, the purpose of this article is not to discuss the merits of changing password regularly but to bring to light a new tool released by Mozilla Labs.
Password Age Visualizer is an add-on for Firefox using which you can see how long you've been using your passwords and which ones are due for a change. You'll see all of the passwords you use listed, with the ones over 200 days old highlighted in red. As you continue to change to new passwords and update your password manager, the bars will change back to blue.
Underneath each password is its age in days, and the bar that extends to the right represents how many days have passed since its first use. If the bar is red in color, that password is over 200 days old and should be changed. Additionally, each bar has black "ticks" on it, which represent a point in time that password was used on a new website. Hover over a tick to see the site's name.
The add-on works only if you use Firefox’s password manager to store your passwords. Since I don’t, I wasn’t able to test it. Personally, I prefer using a password generator that generates passwords on-the-fly based on a master password and the domain name of the website. That way I only have to remember one password and none of my bazillion passwords are written down or saved anywhere on my computer. I feel more secure that way.
Coming back to changing passwords, it’s far more important to choose a good password in the first place than to change it later.