Photo/IllutrationAttendees including managers of small and midsize firms learn the importance of password control in Tokyo’s Shinagawa Ward during a seminar held by the Metropolitan Police Department. (Asahi Shimbun file photo)

It is not necessary to regularly change Internet passwords, the communications ministry has decided in a rejection of conventional wisdom, but advises instead that citizens should use one hard-to-guess password per online account.

The ministry has deleted the line, “Let’s change your password periodically,” on its “information security site for citizens” website, which instructs how to safely use the Internet. The website now states, “No need to change your password periodically,” since it was updated in March.

The change in official advice was based on a recommendation made by the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), the organization in charge of Japan’s online security, in its information security handbook published in late 2016.

“As people have been required to change passwords, they tend to choose ones with simpler character combinations, which are easier to guess,” said an NISC official. “We believe that it is more important to set up complicated passwords and not to reuse them (for more than one system).”

The ministry first called for Internet users to change their passwords periodically in 2003 through its website as a method of limiting damage in the event of a password security breach.

However, the most important thing is to use passwords with at least 10 characters including a combination of letters, numbers, and other symbols to enhance safety, according to the NISC.

The NISC based its recommendation on overseas trends, including research published by the University of North Carolina in 2010.

The research team studied about 7,700 accounts of students under the condition that their passwords needed to be changed every 90 days. When they changed their passwords, they tended to delete just one character or make minor changes such as replacing lower case letters with upper case ones. Such changes were deemed to be not very effective, as new passwords were easy to guess based on the previous ones.

The National Institute of Standards and Technology, an agency of the U.S. Department of Commerce and an authority on Internet security, released a guideline saying, “We should not require users to change passwords periodically.”

But despite the evidence, not everyone is convinced by the revised recommendations. A Sony Bank Inc. official said, “We know the government’s (new) recommendation, but we will not change our approach of urging people to change their passwords periodically.

“If their passwords are compromised (they will suffer damage). So the best thing is to encourage them to change passwords periodically.”

Keiji Takeda, professor of information security at Keio University, said that if users do not change their passwords regularly, they need to make sure they are using a complicated password and must not reuse the same password for more than one account.

Simple character combinations for passwords that should be avoided as they are commonly used such as “123456” and “password” are included in the annual list of dangerous passwords for 2017 released by U.S. security company SplashData Inc.

“I recommend you make a choice for the data you need to protect and set up a complicated and long password for important data, and change passwords periodically to prevent them from being leaked,” said Takeda.


Ranking of dangerous passwords in 2017

Source: SplashData Inc.

1. 123456

2. password

3. 12345678

4. qwerty

5. 12345

6. 123456789

7. letmein

8. 1234567

9. football

10. iloveyou