There’s a lot of emphasis nowadays on having secure passwords, as well as changing passwords often to keep your information and accounts safe from hackers. Despite what some IT professionals have said in the past, one woman with the Federal Trade Commission has suggested that changing passwords less will actually keep systems safer.
Lorrie Cranor, chief technologist with the FTC, recently shared her case study and the FTC’s advice to companies who wish for stronger data security. She said that the FTC’s advice in the past has been to conduct risk assessments, taking into account factors like the sensitivity of information they collect and the availability of low-cost measures to mitigate risks. The FTC has also advised companies to keep up with security research. Cranor said that what might have been reasonable in 2006 is no longer reasonable in 2016, and she also emphasizes why keeping up with security advice is important.
(Related: VersionOne finds the worst passwords of 2015)
Cranor conducted research on making passwords more usable and secure, and she wrote that this always prompts a lot of interesting comments and questions.
“People complain about having so many passwords to remember and having to change them all so frequently,” she wrote. “Often, they tell me their passwords (please, don’t!) and ask me how strong they are. But my favorite question about passwords is: ‘How often should people change their passwords?’ My answer usually surprises the audience: ‘Not as often as you might think.’ ”
Cranor said that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily. She said unless there is a need to change the password—like there is evidence that the password has been compromised or shared—changing passwords frequently could actually do more harm than good.
Cranor cited the results of a 2009-2010 study of password histories from defunct accounts from the University of North Carolina at Chapel Hill. Those researchers obtained the passwords to 10,000 defunct accounts of individuals who had to change the password for them every three months. The researchers then used password-cracking tools to crack the hashed passwords—meaning the passwords themselves were scrambled using a mathematical function called a hash.
Offline attackers aren’t limited to guesses before being locked out. These attackers gain access to a system and steal the hashed password file, and take it to another location to make as many guesses as they want. When the researchers tried to hack into the accounts, they used a password cracking system that ran for several months until it eventually cracked at least one password that was not the last password the user created for that account.