Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says

Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.

Wrong?

"Frequent password changes lock them out. "
I was under the understanding the static passwords were an issue because they are far easier to brute force in a long term campaign, as well as a couple other reasons...

Finally!

[mcmonkey]

Policies that require frequent password changes lead me to:
- pick easy to remember (and therefor easy to guess) passwords
- restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
- Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
- Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.

Frequently changing passwords exclude adherence to most other security good practices.

Re:Finally!

[OzPeter]

- Write down passwords.

I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it. And as we all know, once you have physical access it is pretty well game over for security in general.

2016 best practice?

[sirber]

Use an offline password manager that generate random strong passwords, like keepass.

Can't password expiration be based on complexity?

[CQDX]

Every company I've worked for forced us to change passwords regardless of complexity. So I, and probably everyone else, used a simple phrase with a number to increment. I would have liked it if I picked a long, complex, hard to crack password that I'd be rewarded with a longer period before requiring to change my password. Would this make sense in practice?