Based on a brief review of the literature (in other words, a short Google search), there does not appear to be a lot written about changing all your passwords at one time. In one of its knowledge base articles, Microsoft points out that you should “Change your passwords regularly. This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time. A password that is shorter than 8 characters should be considered good only for a week or so, while a password that is 14 characters or longer (and follows the other rules outlined above) can be good for several years.” Now there is an interesting thought, not changing passwords for several years. Quite a bit different from the concept of changing all your passwords at once and, on top of that, doing it regularly throughout the year.
One thing appears to be clear: The better the quality of the password, the longer its useful life. For example, if you intend to log on to a site only one time and are absolutely not willing to provide any confidential information, then a short password to get you through the door will do. Even a six-character password will take hackers hours or more to break with most technologies. Long before that happens, you will be off the site, never to return.
On the other hand, passwords for confidential corporate, client, customer, and personal financial information should clearly be the best possible. My primary personal bank allows me 20 characters, using all but the special characters. I use all 20. After all, if you are using password management software to create and manage your secure log-ins, then long, randomly generated passwords will be no more difficult to create and use than short ones. And oh, by the way, if you intend to change your passwords regularly, remember that the road to hell is paved with good intentions. Exactly how long has it been since you changed your most secure passwords?
If you are not using password management software, you are not using secure passwords nor are you administering them securely. There is really nothing else to say on this topic.
My guess (based on teaching contacts with thousands of accountants each year) is that you probably need to change all your passwords at one time, and that that time is now. A fresh start is always available in this game. Starting fresh forgives all the sins of lack of due diligence with respect to managing passwords in the past. Now all those poorly managed passwords (ones written in a little black book and placed in file drawer 2, weak ones, reused ones, and the list goes on) no longer work.
I do have an opinion on whether or not you should make a regular wholesale change of all your passwords, but I don’t intend to publish it until someone responds. If you want to hear my voice, you must speak up.
William C. Fleenor, CPA, CITP, Ph.D.
Shareholder, K2 Enterprises, LLC