Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says

Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.

Finally!

[mcmonkey]

Policies that require frequent password changes lead me to:
- pick easy to remember (and therefor easy to guess) passwords
- restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
- Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
- Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.

Frequently changing passwords exclude adherence to most other security good practices.

Re:Finally!

[Bongo]

That can be a problem in a corporate environment. I can't tell you how many times I've found a password written on a Post-It note that got taped to the monitor or underneath the keyboard. If the written password was inside a locked overhead cabinet or a wallet that someone carried, access to the network becomes a lot more difficult. Never mind that many Fortune 500 companies have policies against writing passwords down in the first place.

I wonder how people would behave if the official policy was to write it down and put it in your wallet.

Most people have to write down their passwords, there is just no way to remember lots of unique passwords. But if policy is "don't write it down", that's like making it policy "don't breathe", and then people will naturally say, gee this policy is idiotic, we'll just have to ignore it. Result is you're training people to ignore your advice.

If we want people to follow the advice, we have to give reasonable advice that's practical to follow. There's still too much of this, "it's the dumb user", attitude.

Re:Wrong?

[beelsebob]

Right, and as this article covers, that's not true. In practice, passwords that don't have to be changed regularly are much stronger, because users are willing to chose a secure password and remember it long term, rather than when they have to change it regularly, they inevitably choose pass0001, and then when they have to change it, chose pass0002, and then pass0003 etc.

Re:The mandate to change passwords every three mon

[Opportunist]

It's the bullet point that is easy to implement that pushes your ITSM score upwards. Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes. It's a cheap way to "improve" your security score because it requires no work whatsoever from your security management. Servers come with that option built in.

And while we're at it, same shit with "2 numbers and 3 special characters and at least 30 characters long...". Same bullshit. The longer and more complex the passphrase, the more "+" in your security rating. Why? Doesn't matter. It gives you a better security score. You are winner.

Management by numbers at its finest.

Re:Annoying

[RabidReindeer]

You have one and only one password. Either the enemy knows it, and all doors are open, or he doesn't.

Whether the password changes or not - or how frequently - is immaterial. If the password is known, then you are already pwned.

Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen - except that in the case of passwords, you could be locking the barn with bandits already inside ready to break security all over again.

You efforts are much more profitably employed in protecting your passwords to begin with.

Can't password expiration be based on complexity?

[CQDX]

Every company I've worked for forced us to change passwords regardless of complexity. So I, and probably everyone else, used a simple phrase with a number to increment. I would have liked it if I picked a long, complex, hard to crack password that I'd be rewarded with a longer period before requiring to change my password. Would this make sense in practice?

Re:Annoying

[TheRaven64]

Password rotation is intended to prevent against offline attacks. If someone who grabs a copy of your password db can break the hashes in 30 days, then rotating passwords every 30 days is a good defence: by the time someone has found a password, it won't be valid anymore. The problem is that it's a threat model that doesn't really make sense for most organisations.