FBI offers some poor password advice for online shoppers

# 1, 2, 3, 4. / Password advice is really poor #

FBI offers some poor password advice for online shoppers

It's been a big holiday weekend in the United States, with some folks going crazy ape bonkers over the retail bargains available.

And today is Cyber Monday when online retailers tend to jump on the bandwagon too.

So, it was good to hear that the FBI was going to offer some timely advice for online shoppers over the holiday season.

What was disappointing, however, was the advice they offered when they tweeted this:

Fbi tweet

Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently. #cyber #blackfriday

I like the advice to use strong passwords (although mentioning that they should also be *unique* passwords that you aren't using anywhere else would have been helpful).

What I don't like is the advice that shoppers should change their passwords regularly.

As we have discussed before, regularly changing passwords (unless there's a good reason to believe that passwords need to be changed - such as having a weak password, password reuse or a breach) can lead to folks making poor password choices that actually reduce security rather than increase it.

You can find out more in this video I made earlier this year:

If you find passwords a burden - consider using password management software like Bitwarden, 1Password, and KeePass to make them safer and easier to remember.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

,

4 Responses

  1. John Crowther

    November 29, 2016 at 10:43 am #

    An interesting dynamic is that Password Managers – such as Lastpass – tell you to change your password – even if it's lovely and strong and unique. If you use Lastpass's Security Challenge feature, they bring up an advisory for sites with the text " Regularly updating your passwords is key to good security…"

  2. Ffty

    November 30, 2016 at 11:05 am #

    I unfollow this blog due to the crap here. Password change cannot harm.

    • Jonathon in reply to Ffty.

      November 30, 2016 at 9:45 pm #

      It has been empirically proven that forced password changes on frequent schedules result in the harm of weaker, shorter passwords.

      Being advised to change your passwords frequently isn't quite the same as forced password changes, but if someone takes that advice seriously, it effectively becomes a forced password change.

      There is also the issue of personal values changing the definition of abstract words. "Frequently" is not an adequate adverb. It's too general to be useful in a semi-official advisory. Frankly, this looks like a lazy copy-and-paste from an old employee handbook.

  3. Dave B.

    December 1, 2016 at 4:31 pm #

    The problem with not changing passwords "unless there's a good reason to believe that passwords need to be changed – such as having a weak password, password reuse or a breach" is that you may not hear about a breach until many months or years later. Saying it's not a good practice to regularly change passwords is poor advice. As long as strong passwords are used, changing them does ZERO harm.

Leave a Reply