Subscribe

Do we all really need to keep changing our passwords?

The chief technologist at the FTC says frequent password can actually harm security, but some security administrators are still pushing back. 

  • close
    File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin May 21, 2013. The chief technologist at the FTC says frequent password can actually harm security, but some security administrators are still pushing back.
    Pawel Kopczynski/Reuters/File
    View Caption
  • About video ads
    View Caption
of

For the seventh time this year, the almost automatic process of logging into the work computer is interrupted by a dialogue box reminder. It's time to think of yet another new password. 

It's complicated. It's annoying. And according to Lorrie Faith Cranor, a password researcher and the Federal Trade Commission's (FTC) chief technologist, it is also unnecessary. 

"It became more and more clear that requiring frequent password changes generally wasn’t helping security and was really annoying users, leading them to less secure behavior," Ms. Cranor tells The Christian Science Monitor in a telephone interview. 

This was not her first opposition to password expiration, nor is she the first to question its effectiveness, but coming from someone in her position, it could herald a small shift in password policy. 

"It’s still in the category of [being] a somewhat radical idea just because so many organizations are still refusing to change,” she says.

Requiring new passwords regularly is a common practice, but not one backed up by security research, Ms. Cranor noted in blog post contributed to the Monitor's Passcode in March.

"Today, unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases," she wrote. "And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems."

For at least 15 years, "People have been saying it, but the people who have been in charge of making password policies for the most part haven’t been listening," Cranor says.

She described the FTC's reaction to her "radical idea" in a keynote for the BSides security conference in Las Vegas, ArsTechnica reported.

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?' I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days.' "

FTC security officials wanted back-up research, and she directed them to a 2010 study from the University of North Carolina-Chapel Hill. Researchers analyzed nearly 8,000 old password strings from university accounts and tested their strength against common hacking methods. They found that users who were pestered by constant requests for password changes tended to make only slight "transformations," leaving weak passwords weak and susceptible to hacking. 

Although some security professionals have written to Cranor since she began speaking, often with compliments on an idea they have had for years, others were confused about whether they should ever change their password. 

In reality, it is only the requirement to frequently change passwords that these researchers are speaking out against. If a particular password has been shared or somehow compromised, it must be changed, as the Passcode contributors have written in detail. And if a given organization requires users to share their passwords frequently, then administrators may be wise to ask regularly for an updated password.

The idea has some support internationally, as a study from Carleton University in Ottowa, Canada, found the benefits of required password changes "relatively minor at best, and questionable in light of overall costs." The information security authority for the British government released a new advisory against it in its 2015 password guidance, providing further explanation in April.

Pushback remains, however. Many organizations have stopped requiring the frequent password changes, but others have rejected the new idea, saying that removing password expiration risks failing a security audit.

"Until there’s a security standard that says it’s OK not to change passwords all the time, I think some organizations are not going to be comfortable with it," Cranor says.

[Editor's note: This article has been updated to correct the name of the University of North Carolina-Chapel Hill.]​

About these ads
Sponsored Content by LockerDome
 
 
Make a Difference
Inspired? Here are some ways to make a difference on this issue.
FREE Newsletters
Get the Monitor stories you care about delivered to your inbox.
 

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.

Loading...

Loading...

Loading...

Save for later

Save
Cancel

Saved ( of items)

This item has been saved to read later from any device.
Access saved items through your user name at the top of the page.

View Saved Items

OK

Failed to save

You reached the limit of 20 saved items.
Please visit following link to manage you saved items.

View Saved Items

OK

Failed to save

You have already saved this item.

View Saved Items

OK