FBI offers some poor password advice for online shoppers

# 1, 2, 3, 4. / Password advice is really poor #

Graham Cluley
Graham Cluley
@[email protected]

FBI offers some poor password advice for online shoppers

It’s been a big holiday weekend in the United States, with some folks going crazy ape bonkers over the retail bargains available.

And today is Cyber Monday when online retailers tend to jump on the bandwagon too.

So, it was good to hear that the FBI was going to offer some timely advice for online shoppers over the holiday season.

Sign up to our free newsletter.
Security news, advice, and tips.

What was disappointing, however, was the advice they offered when they tweeted this:

Fbi tweet

Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently. #cyber #blackfriday

I like the advice to use strong passwords (although mentioning that they should also be *unique* passwords that you aren’t using anywhere else would have been helpful).

What I don’t like is the advice that shoppers should change their passwords regularly.

As we have discussed before, regularly changing passwords (unless there’s a good reason to believe that passwords need to be changed – such as having a weak password, password reuse or a breach) can lead to folks making poor password choices that actually reduce security rather than increase it.

You can find out more in this video I made earlier this year:

Should you really change your passwords frequently? | Graham Cluley

If you find passwords a burden – consider using password management software like Bitwarden, 1Password, and KeePass to make them safer and easier to remember.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “FBI offers some poor password advice for online shoppers”

  1. John Crowther

    An interesting dynamic is that Password Managers – such as Lastpass – tell you to change your password – even if it's lovely and strong and unique. If you use Lastpass's Security Challenge feature, they bring up an advisory for sites with the text " Regularly updating your passwords is key to good security…"

  2. Ffty

    I unfollow this blog due to the crap here. Password change cannot harm.

    1. Jonathon · in reply to Ffty

      It has been empirically proven that forced password changes on frequent schedules result in the harm of weaker, shorter passwords.

      Being advised to change your passwords frequently isn't quite the same as forced password changes, but if someone takes that advice seriously, it effectively becomes a forced password change.

      There is also the issue of personal values changing the definition of abstract words. "Frequently" is not an adequate adverb. It's too general to be useful in a semi-official advisory. Frankly, this looks like a lazy copy-and-paste from an old employee handbook.

  3. Dave B.

    The problem with not changing passwords "unless there's a good reason to believe that passwords need to be changed – such as having a weak password, password reuse or a breach" is that you may not hear about a breach until many months or years later. Saying it's not a good practice to regularly change passwords is poor advice. As long as strong passwords are used, changing them does ZERO harm.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.