FBI offers some poor password advice for online shoppers

Graham Cluley

FBI offers some poor password advice for online shoppers

FBI offers some poor password advice for online shoppers

It’s been a big holiday weekend in the United States, with some folks going crazy ape bonkers over the retail bargains available.

And today is Cyber Monday when online retailers tend to jump on the bandwagon too.

So, it was good to hear that the FBI was going to offer some timely advice for online shoppers over the holiday season.

What was disappointing, however, was the advice they offered when they tweeted this:

Fbi tweet

Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently. #cyber #blackfriday

I like the advice to use strong passwords (although mentioning that they should also be *unique* passwords that you aren’t using anywhere else would have been helpful).

What I don’t like is the advice that shoppers should change their passwords regularly.

As we have discussed before, regularly changing passwords (unless there’s a good reason to believe that passwords need to be changed – such as having a weak password, password reuse or a breach) can lead to folks making poor password choices that actually reduce security rather than increase it.

You can find out more in this video I made earlier this year:

If you find passwords a burden – consider using password management software like Bitwarden, 1Password, and KeePass to make them safer and easier to remember.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “FBI offers some poor password advice for online shoppers”

  1. An interesting dynamic is that Password Managers – such as Lastpass – tell you to change your password – even if it's lovely and strong and unique. If you use Lastpass's Security Challenge feature, they bring up an advisory for sites with the text " Regularly updating your passwords is key to good security…"

    1. It has been empirically proven that forced password changes on frequent schedules result in the harm of weaker, shorter passwords.

      Being advised to change your passwords frequently isn't quite the same as forced password changes, but if someone takes that advice seriously, it effectively becomes a forced password change.

      There is also the issue of personal values changing the definition of abstract words. "Frequently" is not an adequate adverb. It's too general to be useful in a semi-official advisory. Frankly, this looks like a lazy copy-and-paste from an old employee handbook.

  2. The problem with not changing passwords "unless there's a good reason to believe that passwords need to be changed – such as having a weak password, password reuse or a breach" is that you may not hear about a breach until many months or years later. Saying it's not a good practice to regularly change passwords is poor advice. As long as strong passwords are used, changing them does ZERO harm.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.