Slashdot Mirror

← Back to Stories (view on slashdot.org)

Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says (arstechnica.com)

Posted by msmash on from the debunking-myths dept.

Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.

9 of 211 comments (clear)

  1. when you have to change password frequently by Kkloe · · Score: 3, Insightful

    last password: Spring01
    new password: Spring02

    mora than 2 password to change now and then, advice from seniors, put them on a txt-file on the desktop

  2. Re:Wrong? by beelsebob · · Score: 5, Insightful

    Right, and as this article covers, that's not true. In practice, passwords that don't have to be changed regularly are much stronger, because users are willing to chose a secure password and remember it long term, rather than when they have to change it regularly, they inevitably choose pass0001, and then when they have to change it, chose pass0002, and then pass0003 etc.

  3. Re:Finally! by Bongo · · Score: 3, Insightful

    This is all true but password changes do reveal password compromises.

    And having compromised tomat001 they can go straight onto guessing tomat002.

    Really, why don't banks force everyone to change the PIN on their cards every month?

  4. Re:The mandate to change passwords every three mon by Opportunist · · Score: 5, Insightful

    It's the bullet point that is easy to implement that pushes your ITSM score upwards. Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes. It's a cheap way to "improve" your security score because it requires no work whatsoever from your security management. Servers come with that option built in.

    And while we're at it, same shit with "2 numbers and 3 special characters and at least 30 characters long...". Same bullshit. The longer and more complex the passphrase, the more "+" in your security rating. Why? Doesn't matter. It gives you a better security score. You are winner.

    Management by numbers at its finest.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Special character requirement by crow · · Score: 4, Insightful

    I have several passwords that require a "special" character. I've found it frustrating on the occasions when I need to enter these on my phone, having to switch to the symbols to enter my password. Now if a password requires a special character, I use one that is part of the default keyboard, which limits it to using a period.

    Special character requirements might be fine when using a physical keyboard, but mobile devices change how people will use them.

  6. Re:Finally! by Bongo · · Score: 5, Insightful

    That can be a problem in a corporate environment. I can't tell you how many times I've found a password written on a Post-It note that got taped to the monitor or underneath the keyboard. If the written password was inside a locked overhead cabinet or a wallet that someone carried, access to the network becomes a lot more difficult. Never mind that many Fortune 500 companies have policies against writing passwords down in the first place.

    I wonder how people would behave if the official policy was to write it down and put it in your wallet.

    Most people have to write down their passwords, there is just no way to remember lots of unique passwords. But if policy is "don't write it down", that's like making it policy "don't breathe", and then people will naturally say, gee this policy is idiotic, we'll just have to ignore it. Result is you're training people to ignore your advice.

    If we want people to follow the advice, we have to give reasonable advice that's practical to follow. There's still too much of this, "it's the dumb user", attitude.

  7. password length by Anonymous Coward · · Score: 2, Insightful

    ... not using that password elsewhere and that it is 12 or more characters

    Indeed. It is not the number of possible characters, C, from which the password is created, but the number of characters, N, that the password uses: The number of possible combinations is C^N which is polynomial in C, but exponential in N. (Thus, increases much faster with N than with C.) Adding a few "special" characters doesn't do nearly as much as adding length. That doesn't even really prevent dictionary attacks as most of the time the user only adds a 0, 1 or ! suffix to a simple word-password.

    Per XKCD, use your own easily remembered/typed pass phrase (but not "batteryhorsestaple"!) Damn the sites that insist on using a number and special character but limit you to 6 or 8 characters. You can add a meaningful UC letter, number and special character if they insist: "MySisterHas5ReallyBrattyKids!"

  8. Re:Annoying by RabidReindeer · · Score: 5, Insightful

    You have one and only one password. Either the enemy knows it, and all doors are open, or he doesn't.

    Whether the password changes or not - or how frequently - is immaterial. If the password is known, then you are already pwned.

    Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen - except that in the case of passwords, you could be locking the barn with bandits already inside ready to break security all over again.

    You efforts are much more profitably employed in protecting your passwords to begin with.

  9. Re:Annoying by TheRaven64 · · Score: 5, Insightful

    Password rotation is intended to prevent against offline attacks. If someone who grabs a copy of your password db can break the hashes in 30 days, then rotating passwords every 30 days is a good defence: by the time someone has found a password, it won't be valid anymore. The problem is that it's a threat model that doesn't really make sense for most organisations.

    --
    I am TheRaven on Soylent News