Do we all really need to keep changing our passwords?
-
Lucy Schouten Staff
For the seventh time this year, the almost automatic process of logging into the work computer is interrupted by a dialogue box reminder. It's time to think of yet another new password.
It's complicated. It's annoying. And according to Lorrie Faith Cranor, a password researcher and the Federal Trade Commission's (FTC) chief technologist, it is also unnecessary.
"It became more and more clear that requiring frequent password changes generally wasn’t helping security and was really annoying users, leading them to less secure behavior," Ms. Cranor tells The Christian Science Monitor in a telephone interview.
This was not her first opposition to password expiration, nor is she the first to question its effectiveness, but coming from someone in her position, it could herald a small shift in password policy.
"It’s still in the category of [being] a somewhat radical idea just because so many organizations are still refusing to change,” she says.
Requiring new passwords regularly is a common practice, but not one backed up by security research, Ms. Cranor noted in blog post contributed to the Monitor's Passcode in March.
"Today, unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases," she wrote. "And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems."
For at least 15 years, "People have been saying it, but the people who have been in charge of making password policies for the most part haven’t been listening," Cranor says.
She described the FTC's reaction to her "radical idea" in a keynote for the BSides security conference in Las Vegas, ArsTechnica reported.
"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?' I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days.' "
FTC security officials wanted back-up research, and she directed them to a 2010 study from the University of North Carolina-Chapel Hill. Researchers analyzed nearly 8,000 old password strings from university accounts and tested their strength against common hacking methods. They found that users who were pestered by constant requests for password changes tended to make only slight "transformations," leaving weak passwords weak and susceptible to hacking.
Although some security professionals have written to Cranor since she began speaking, often with compliments on an idea they have had for years, others were confused about whether they should ever change their password.
In reality, it is only the requirement to frequently change passwords that these researchers are speaking out against. If a particular password has been shared or somehow compromised, it must be changed, as the Passcode contributors have written in detail. And if a given organization requires users to share their passwords frequently, then administrators may be wise to ask regularly for an updated password.
The idea has some support internationally, as a study from Carleton University in Ottowa, Canada, found the benefits of required password changes "relatively minor at best, and questionable in light of overall costs." The information security authority for the British government released a new advisory against it in its 2015 password guidance, providing further explanation in April.
Pushback remains, however. Many organizations have stopped requiring the frequent password changes, but others have rejected the new idea, saying that removing password expiration risks failing a security audit.
"Until there’s a security standard that says it’s OK not to change passwords all the time, I think some organizations are not going to be comfortable with it," Cranor says.
[Editor's note: This article has been updated to correct the name of the University of North Carolina-Chapel Hill.]
