Password changes for the sake of it don’t improve security, says FTC technologist

They might even be counterproductive and make security worse!

David bisson
David Bisson

Repeated passwords

A technologist with the Federal Trade Commission (FTC) argues frequent mandatory password changes don’t actually improve security.

Lorrie Cranor, currently a chief technologist at the FTC, cringed when she saw this tweet from her employer back in February:

Ftc tweet

Sign up to our free newsletter.
Security news, advice, and tips.

As quoted by Ars Technica from Cranor’s speech at BSides Las Vegas:

“I saw this tweet and I said, ‘Why is it that the FTC is going around telling everyone to change their passwords?’ I went to the social media people and asked them that and they said, ‘Well, it must be good advice because at the FTC we change our passwords every 60 days.'”

Lorrie Cranor is no stranger to bringing poor password practices to light. In fact, in the past, she has captured the headlines with her own bad password dress… and security blanket.


And Cranor is a firm advocate that frequent mandatory password changes don’t improve security. In her mind, they could even be counterproductive by giving users an incentive to choose combinations that are easy to remember and therefore easier to crack

Researchers from the University of North Carolina at Chapel Hill discovered as much in a study back in 2010 when they developed an algorithm based upon common techniques that account holders use to change their passwords, such as by changing the digit in “password1” to “password2.”

They in turn used that algorithm to crack 17 percent of passwords stored in a database of 10,000 expired accounts in fewer than five attempts.

Cranor is not the only one to less than enthused by password changes.

Password change poll

In a poll conducted by this site, only about 20 percent of respondents agreed with their company’s policy that insisted on mandatory password changes. More than half said they were forced to conduct those changes but thought they were “dumb,” while a fifth of respondents stated “thank goodness” they didn’t have to mandate password changes.

Which brings us back to our central question: should you change your passwords frequently? Graham Cluley made his own opinions clear in this YouTube video:

Should you really change your passwords frequently? | Graham Cluley

Ultimately, we feel it’s a good idea to select a strong password from the outset and to change a password only if one of the following conditions are met:

  1. You find out your account has been hacked or your credentials successfully phished.
  2. You realize your current password is weak and should be made stronger.
  3. You realize you’ve been reusing an otherwise strong password across multiple web accounts.

Be sure to read our additional thoughts on this subject.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

3 comments on “Password changes for the sake of it don’t improve security, says FTC technologist”

  1. ben

    1 .You find out your account has been hacked …or your credentials successfully phished.

    ok but but if the account is already hacked, I guess it's too late to change the password? have I miss something?

    1. SJM · in reply to ben

      Well the password have been compromised. You need to change it one way or another. Then theres the fact that the majority is reusing that password for other services, then the change is needed.

    2. KDH · in reply to ben

      If you change your passwords monthly and find out you've been hacked, it's also too late to change your password. That's the wrong question. What you should ask is whether your policies makes it harder or easier for the hack to occur. The argument is that frequent changes = simpler passwords = more risk of breach.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.