Blog / Why is Changing Passwords Regularly So Important?
For many, changing passwords isn’t just best practices; it’s the law.
Regular readers of this newsletter will know, Alberta’s PIPA legislation has been a featured topic in this newsletter from time to time. I’ve also mentioned PCI-DSS more than once as well. However what I want to point out now is that PIPA and PCI-DSS are very different things, and not just because one applies to information and one to payment processing. PIPA is the law, and anyone it applies to must follow it, kind of like a speed limit.
PCI-DSS, on the other hand is not the law. It’s a set of regulations that are not enforced by police, RCMP, or other legal bodies. Don’t get me wrong; those regulations are enforced by the banks so you can still get in serious trouble, but PCI-DSS is not actually a legal framework. It’s like driving with your interior light on; it’s not recommended, but you’re not going to risk a fine by doing.
Of course, privacy laws like PIPA are much more complicated than traffic laws and interior lights. To make matters more complicated, the PIPA self-assessment guide was “updated” in late 2020, but it was more like a complete overhaul so basically everyone had to start all over.
Without getting into the minutia of it all, PIPA’s previous assessment guide featured plenty of recommendations but few straight-up legal requirements. The recent update reversed that. Whether it was because the old version was regularly mistaken for simple government guidelines or some other reason, almost everything is now a requirement and virtually nothing is optional.
So what does all this have to do with changing passwords?
PIPA’s Section 12 focuses on requirements to ensure passwords are robust, with the appropriate number of characters and special characters etc. However, nothing says you need to change your password at regular intervals.
Except don’t forget it’s legislation, so it’s never that easy. Instead, read ahead to Section 16 with its requirement that all statutory, regulatory, and contractual requirements be documented, which means you are legally required to be aware of and at least working on a plan to be PCI-DSS compliant (assuming your business accepts plastic as payment).
Combine that with PCI-DSS v4.0’s requirement 8.3.9 which requires you to change your password every 90 days at most (assuming you’re only using a password) and changing your password effectively becomes a legal requirement. This is just one way passwords can be trickier than you might think. They’re very important, need to be chosen properly and protected, but moreover they’re a great reason why you need to understand not just different legislations but how they can interact.
If you’re interested in discussing or updating your password policy to ensure you’re compliant with all relevant legislations, contact a TRINUS cybersecurity expert to help take the stress out of your IT.
Twelfth Night is were we’ll find this particular Shakespeare quote; “My stars shine darkly over me: the malignancy of my fate might perhaps distemper yours.”
Be kind, courtesy your friendly neighbourhood cyber-man.