Well, the conventional wisdom says that we should change passwords every two months or so but Lorrie Cranor, Chief Technologist of the Federal Trade Commission would like to disagree. In her blog titled “Time to rethink mandatory password changes”, Lorrie argues that changing passwords frequently can do more harm than good. She further contends that the reason is not the new passwords per se but the “human nature”. Lorrie reiterated her points while giving a speech atBSides security conference which was recently held in Las Vegas.
In her blog, Lorrie substantiates her argument with the research conducted at the University of North Carolina at Chapel Hill. In this study, the researchers using passwords of 10,000 defunct accounts of students, teachers and staff found it much easier to crack the new passwords if they had cracked the older one. This is because the users tweaked the old passwords to create new ones and the tweaking was done in a predictable fashion such as changing an upper-case letter to lowercase, replacing ‘e’ with ‘3’ or simply adding a couple of characters to the beginning or end of previous password. While citing these findings, Lorrie writes in her blog that “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”
The research study at University of North Carolina established that if the previous password was cracked, the new password could be cracked in less than 5 tries. The study also established that hackers who had stolen hashed password file would be able to predict the new ones within 3 seconds and that too with archaic technology dating 2009.
Similar results have been found at studies conducted at the School of Computer Science at Carleton University in Ottawa, Canada which published a paper in March 2015 concluding that security advantages offered by password expiration policies were, “relatively minor at best, and questionable in light of overall costs,”. The National Institute of Standards and Technology (NIST) in its draft publication dated April 2009 had said password expiration policies frequently frustrate users, who then,”tend to choose weak passwords and use the same few passwords for many accounts.”
While the findings of these studies have not been widely accepted and incorporated in the security guidelines by organizations, it is best to adopt the middle-path. Focus should be on creating strong passwords, and replacing them with totally different passwords. Password managers can be of great help when it comes to remembering so many passwords which are changed frequently.