Modern field guide to security and privacy

Opinion: Why constantly changing your passwords may not improve security

Requiring frequent password changes in the name of security might not be as effective as previously thought, especially if people are just adding another character onto an old password.


Carolyn Kaster/AP

When people hear that I conduct research on making passwords more usable and secure, everyone has a story to tell and questions to ask. People complain about having so many passwords to remember and having to change them all so frequently. Often, they tell me their passwords (please, don’t!) and ask me how strong they are.

But my favorite question about passwords is: "How often should people change their passwords?" My answer usually surprises the audience: "Not as often as you might think."

Mandated password changes are a long-standing security practice designed to periodically lock out unauthorized people who have learned someone else’s passwords. The Federal Trade Commission has long advised that what was reasonable advice in 2006 may not be reasonable in 2016.

Today, unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.

What actually happens when users are required to change their passwords?

A University of North Carolina at Chapel Hill study from 2009 examined such behaviors. Researchers obtained the passwords to more than 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every three months. For each account, the researchers were given a sequence of four to 15 of the user’s previous passwords.

They observed that users tended to create passwords that followed predictable patterns, called "transformations," such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).

These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily. The researchers also found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed by applying transformations.

Another study suggests that if an attacker is going to systematically attempt to guess every possible password until they hit the right one, frequent password changes only hamper such attackers a little bit, and probably not enough to offset the inconvenience to users.

When should passwords be changed?

If you have reason to believe your password has been stolen, you should change it. And make sure you change it on all of your accounts where you use the same or a similar password. If you shared your password with a friend, change it. If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it. If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password.

Regardless of why you are changing your password, choose a new password unrelated to the old one and don’t reuse a password from another account. Under some circumstances there may be other steps you should take as well to make sure your system or account has not been compromised in a way that will render your password change ineffective.

As for organizations, the National Institute of Standards and Technology (NIST) encouraged organizations to balance security and usability needs, outlining some factors to consider. NIST emphasized that other aspects of password policies may have greater benefits than mandatory expiration, including requirements for password length and complexity, as well well-chosen "salt" – a technique to make sure that if two users have the same password they won’t look the same when they are stored in a kind of shorthand in a database.

Depending on your particular situation, there may be some good reasons to require your users to change their passwords. But it is important to assess the risks and benefits for your organization, as well as alternative ways of increasing security. Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.

Lorrie Cranor is the chief technologist at the Federal Trade Commission. This post was adapted with her permission from a recent blog she wrote. Follow Lorrie on Twitter at @lorrietweet .


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to