A technologist with the Federal Trade Commission (FTC) argues frequent mandatory password changes don’t actually improve security.
Lorrie Cranor, currently a chief technologist at the FTC, cringed when she saw this tweet from her employer back in February:
As quoted by Ars Technica from Cranor’s speech at BSides Las Vegas:
“I saw this tweet and I said, ‘Why is it that the FTC is going around telling everyone to change their passwords?’ I went to the social media people and asked them that and they said, ‘Well, it must be good advice because at the FTC we change our passwords every 60 days.'”
Lorrie Cranor is no stranger to bringing poor password practices to light. In fact, in the past, she has captured the headlines with her own bad password dress… and security blanket.
And Cranor is a firm advocate that frequent mandatory password changes don’t improve security. In her mind, they could even be counterproductive by giving users an incentive to choose combinations that are easy to remember and therefore easier to crack
Researchers from the University of North Carolina at Chapel Hill discovered as much in a study back in 2010 when they developed an algorithm based upon common techniques that account holders use to change their passwords, such as by changing the digit in “password1” to “password2.”
They in turn used that algorithm to crack 17 percent of passwords stored in a database of 10,000 expired accounts in fewer than five attempts.
Cranor is not the only one to less than enthused by password changes.
In a poll conducted by this site, only about 20 percent of respondents agreed with their company’s policy that insisted on mandatory password changes. More than half said they were forced to conduct those changes but thought they were “dumb,” while a fifth of respondents stated “thank goodness” they didn’t have to mandate password changes.
Which brings us back to our central question: should you change your passwords frequently? Graham Cluley made his own opinions clear in this YouTube video:
Ultimately, we feel it’s a good idea to select a strong password from the outset and to change a password only if one of the following conditions are met:
- You find out your account has been hacked or your credentials successfully phished.
- You realize your current password is weak and should be made stronger.
- You realize you’ve been reusing an otherwise strong password across multiple web accounts.
Be sure to read our additional thoughts on this subject.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
3 comments on “Password changes for the sake of it don’t improve security, says FTC technologist”
1 .You find out your account has been hacked …or your credentials successfully phished.
ok but but if the account is already hacked, I guess it's too late to change the password? have I miss something?
Well the password have been compromised. You need to change it one way or another. Then theres the fact that the majority is reusing that password for other services, then the change is needed.
If you change your passwords monthly and find out you've been hacked, it's also too late to change your password. That's the wrong question. What you should ask is whether your policies makes it harder or easier for the hack to occur. The argument is that frequent changes = simpler passwords = more risk of breach.