Q. We are developing new security policies for our offices, and we'd like your recommendation as to how often we should require employees to change their passwords?
A. There are approximately 330 million people in the United States and, according to the Privacy Rights Clearinghouse, nearly 9,000 data breaches affecting U.S. individuals have been reported since 2005 (see privacyrights.org/data-breaches), in which more than 11.2 billion verified identity data records have been stolen — this equates to portions of each American's identity being stolen an average of 34 times since 2005. Because so many logins and passwords are routinely stolen and put up for sale on the dark web, it's probably a good idea to change all your passwords at least once a year, if not more frequently. To be clear, this means you should sit down with your list of passwords each year, log in to every account you have, and change the passwords for each of those accounts. ID thefts don't just occur when outside hackers break into corporate computers; most ID thefts occur from within, such as when a trusted insider copies and sells crucial customer login, password, and identity information on hacker-friendly websites.
Because password management can be such a daunting process, you might want to consider using a password management tool to help you manage and periodically update your passwords. You can choose from among many well-regarded password managers, including 1Password, Dashlane, Keeper, LastPass, LogMe Once, Password Boss, Sticky Password, and Zoho Vault. Nearly 20 years after its launch, RoboForm (roboform.com; priced starting at $23.88 per year) remains representative of the genre. It is a personal password management tool that can generate and remember passwords, and automatically log you in to your online accounts with a single click. RoboForm for Business (priced starting at $39.95 per year per employee) goes further by providing centralized password management for all your employees. The business version provides role-based access permission levels, which makes password management easier, and produces date- and time-stamped reports on employee account access and usage so all file download events can be traced to the specific employee(s) who accessed those data.
Another password management tool that caught my eye is SplashID, which offers a free version and a paid version called SplashID Pro (starting at $1.99 per month). To use SplashID, visit splashid.com, select the Create Account option, and follow the prompts to set up your free account. Thereafter, the single password you create to access SplashID can be used to access all your online accounts connected with SplashID via your smartphone. While SplashID is designed more for smartphone use, the SplashID Pro version goes further by syncing your passwords across all your devices. Of course, the act of securing many or all of your accounts with a single master password means even greater care should be taken to protect that master password.
About the author
J. Carlton Collins, CPA, (firstname.lastname@example.org) is a technology consultant, a conference presenter, and a JofA contributing editor.
Submit a question
Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to email@example.com. We regret being unable to individually answer all submitted questions.