Password changes: mandatory or a nuisance?

Many who have worked in an office setting have had to deal with a job that requires them to continuously change their passwords on their work accounts. This longstanding IT security practice stems from the idea that flushing out old passwords will deter cyber criminals from figuring them out. And as security and risk professionals, you know this all too well.

However, according to the Federal Trade Commission’s chief technologist, Lorrie Cranor, the strategy has some major holes. Cranor advises that, “Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.”

Let’s dive into this thought a bit more:

Cranor’s reasoning behind this is that on the whole, users pick bad passwords. Extensive research agrees that when employees are forced to change their passwords on a regular basis, they don’t put a ton of thought and consideration behind it. According to a University of New Carolina study, people tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number or changing a letter to similar-looking symbol. The most common and therefore predictable examples of typical password change behavior are:

• Changing an S to a $
• Adding or deleting a special character, like for example, going from three exclamation points at the end of a password to two
• Switching the order of digits or special characters. An example of this would be moving the numbers to the beginning instead of the end

It’s understandable why employees create such predicable passwords when prompted to make these regular changes – they’re easy to remember (and they’re probably slightly annoyed with needing to have so many passwords to begin with, that when they need to change them, they do it in a way that is easiest to remember).

Still, changing a password every 60 or 90 days isn’t even necessarily the best thing to do when those passwords are strong to begin with, according to recent research out of Carleton University. Today’s cyber criminals who already have access to the hashed password file can perform offline attacks and guess large numbers of passwords. The Carleton research demonstrate mathematically that frequent password changes only minimally debilitates such attackers—not enough to offset the inconvenience to users.

With all the mounting evidence, it must be noted that password changes are still important, just not as frequent as had been assumed. Experts have stated that six months to a year will result in a better experience for users and allow for strong passwords to be supplied. Additionally, if whatever reason your company still can’t let go of frequent password changes, various password manager programs like LastPass and DashLane can be helpful solutions. However, if one thing can be agreed upon from the research is that having an initial strong password to start with is the best defense against conniving cyberattacks.

What are your thoughts? Does your company (or department) require frequent password changes? Do you think this is a good policy to stick to or are you on the less frequent train of thought? Share in our comments!