There’s a lot of emphasis nowadays on having secure passwords, as well as changing passwords often to keep your information and accounts safe from hackers. Despite what some IT professionals have said in the past, one woman with the Federal Trade Commission has suggested that changing passwords less will actually keep systems safer.
Lorrie Cranor, chief technologist with the FTC, recently shared her case study and the FTC’s advice to companies who wish for stronger data security. She said that the FTC’s advice in the past has been to conduct risk assessments, taking into account factors like the sensitivity of information they collect and the availability of low-cost measures to mitigate risks. The FTC has also advised companies to keep up with security research. Cranor said that what might have been reasonable in 2006 is no longer reasonable in 2016, and she also emphasizes why keeping up with security advice is important.
(Related: VersionOne finds the worst passwords of 2015)
Cranor conducted research on making passwords more usable and secure, and she wrote that this always prompts a lot of interesting comments and questions.
“People complain about having so many passwords to remember and having to change them all so frequently,” she wrote. “Often, they tell me their passwords (please, don’t!) and ask me how strong they are. But my favorite question about passwords is: ‘How often should people change their passwords?’ My answer usually surprises the audience: ‘Not as often as you might think.’ ”
Cranor said that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily. She said unless there is a need to change the password—like there is evidence that the password has been compromised or shared—changing passwords frequently could actually do more harm than good.
Cranor cited the results of a 2009-2010 study of password histories from defunct accounts from the University of North Carolina at Chapel Hill. Those researchers obtained the passwords to 10,000 defunct accounts of individuals who had to change the password for them every three months. The researchers then used password-cracking tools to crack the hashed passwords—meaning the passwords themselves were scrambled using a mathematical function called a hash.
Offline attackers aren’t limited to guesses before being locked out. These attackers gain access to a system and steal the hashed password file, and take it to another location to make as many guesses as they want. When the researchers tried to hack into the accounts, they used a password cracking system that ran for several months until it eventually cracked at least one password that was not the last password the user created for that account.
Cranor wrote that the bottom-line results of this long study “are striking.” She said that the UNC researchers found that for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than five guesses. An attacker who knew the previous password has access to the hashed password file, most likely because they stole it. This hacker can then go on to carry out an offline attack.
“These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily,” Cranor wrote.
To change or not to change
Where does that leave a user or a company that wants to make sure its passwords are safe? Cranor said that if you have reason to believe your password has been stolen, you should change it and make sure you change it—including for the accounts that have the same password.
“If you shared your password with a friend, change it,” she said. “If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it. If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password.”
Cranor said that depending on a company’s situation, there may be good reasons as to why it would require users to change their passwords. Before doing so, she suggested assessing the risks and benefits for the organization, as well as alternative ways of increasing security.
“Organizations should weigh the costs and benefits of mandatory password expiration and consider making other changes to their password policies rather than forcing all users to keep changing their passwords,” she said.