Password changes for the sake of it don't improve security, says FTC technologist

They might even be counterproductive and make security worse!

Repeated passwords

A technologist with the Federal Trade Commission (FTC) argues frequent mandatory password changes don't actually improve security.

Lorrie Cranor, currently a chief technologist at the FTC, cringed when she saw this tweet from her employer back in February:

Ftc tweet

As quoted by Ars Technica from Cranor's speech at BSides Las Vegas:

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?' I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days.'"

Lorrie Cranor is no stranger to bringing poor password practices to light. In fact, in the past, she has captured the headlines with her own bad password dress... and security blanket.

security-blanket-wide

And Cranor is a firm advocate that frequent mandatory password changes don't improve security. In her mind, they could even be counterproductive by giving users an incentive to choose combinations that are easy to remember and therefore easier to crack

Researchers from the University of North Carolina at Chapel Hill discovered as much in a study back in 2010 when they developed an algorithm based upon common techniques that account holders use to change their passwords, such as by changing the digit in "password1" to "password2."

They in turn used that algorithm to crack 17 percent of passwords stored in a database of 10,000 expired accounts in fewer than five attempts.

Cranor is not the only one to less than enthused by password changes.

Password change poll

In a poll conducted by this site, only about 20 percent of respondents agreed with their company's policy that insisted on mandatory password changes. More than half said they were forced to conduct those changes but thought they were "dumb," while a fifth of respondents stated "thank goodness" they didn't have to mandate password changes.

Which brings us back to our central question: should you change your passwords frequently? Graham Cluley made his own opinions clear in this YouTube video:

Ultimately, we feel it's a good idea to select a strong password from the outset and to change a password only if one of the following conditions are met:

  1. You find out your account has been hacked or your credentials successfully phished.
  2. You realize your current password is weak and should be made stronger.
  3. You realize you've been reusing an otherwise strong password across multiple web accounts.

Be sure to read our additional thoughts on this subject.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

3 Responses

  1. ben

    August 3, 2016 at 7:21 pm #

    1 .You find out your account has been hacked …or your credentials successfully phished.

    ok but but if the account is already hacked, I guess it's too late to change the password? have I miss something?

    • SJM in reply to ben.

      August 3, 2016 at 9:32 pm #

      Well the password have been compromised. You need to change it one way or another. Then theres the fact that the majority is reusing that password for other services, then the change is needed.

    • KDH in reply to ben.

      August 4, 2016 at 3:46 pm #

      If you change your passwords monthly and find out you've been hacked, it's also too late to change your password. That's the wrong question. What you should ask is whether your policies makes it harder or easier for the hack to occur. The argument is that frequent changes = simpler passwords = more risk of breach.

Leave a Reply