You should change your password every couple of months right? That used to be what security experts recommended and many workplaces forced you to come up with new passwords every few weeks.

These days, security experts like Microsoft Security Chief, Bret Arsenault, say that doesn’t do much good. People tend to just make small alterations to existing passwords because it’s hard to remember so many new ones. In fact, at Microsoft, employees are no longer required to change their passwords every 71 days. The company temporarily set the expiration dates for passwords to a year back in 2019. When they discovered no security problems popped up as a result of the change, they switched to passwords with no expiration date. In a video posted on Microsoft’s website, he said. “Passwords are inherently insecure and requiring employees to change their corporate password every few months is frustrating and frequently futile.”

According to Arsenault, the problem is that usernames and passwords are “know something/ know something.” That means the user has to know two pieces of information and if anyone else gets that information they can reuse it.”

He says the idea of “know something/have something” works better. What he’s talking about is multi-factor authentication. That requires you to enter a code or use an authentication app.

However, he says that’s still a lot of work for most people, so he decided to switch his focus to how to eliminate the need for passwords completely. Something he calls “be something” as opposed to knowing or having something.

Arsenault prefers biometric security like facial recognition and fingerprint readers, both of which are available on newer phones and computers.