Frequently changing your password may result in weaker security

[Shawn Knight]

Ask virtually anyone about best practices as it relates to passwords and, among other tips, you’ll hear repeatedly that it’s a good idea to change your passwords on a regular basis. According to Federal Trade Commission Chief Technologist Lorrie Cranor, however, the latter suggestion may not always be a good idea.

During a recent speaking engagement at the BSides security conference in Las Vegas, Cranor said that when she left Carnegie Mellon University to work for the FTC, she became the owner of six government passwords which she was required to change every 60 days.

She promptly told her FTC superiors that changing passwords on a frequent basis can lead to weaker security. How so, you ask?

Cranor points to a 2010 study from the University of North Carolina at Chapel Hill which looked at 10,000 expired university accounts. The account holders had been required to change their passwords every three months and rather than come up with a new, entirely random password each time, users would often just make minimal changes to their existing password so they’d be able to remember it easier.

For example, a password like “Techspot#1” (not including the quotes) frequently transitioned into “tEchspot#1” then “teChspo#1” and so on with each subsequent change. Researchers also noticed that digits would simply be added or incremented with each update.

Armed with this data, researchers developed an algorithm that was able to correctly guess a password 17 percent of the time in fewer than five attempts when simulating an online system that would lock a user out after multiple failed attempts. In a simulated “offline” attack with fast computers, 41 percent of passwords were cracked in less than three seconds.

I guess moving forward, experts should clarify that you should change your passwords to something totally different and unique on a regular basis, not just change them, period.

Image courtesy Ruslan Grumble, Shutterstock

Permalink to story.

https://www.techspot.com/news/65895-frequently-changing-password-may-result-weaker-security.html

 

[mbrowne5061]

Not even a little bit surprised.

It would be better to require longer-bit-count passwords, that were changed once a year to a password with no more than x% similarity to a previous password. Forcing the every 90 days rule also probably results in more than a few people to write down their passwords.

An even better idea would be to just make them use their RSA phobs for all their passwords, or at least use an encrypted password safe that uses both a password and keyfile to unlock - and leave access to the keyfile up to the discretion of the employer (employee fired=revoked access to the networked location where the keyfile is stored).

 

[treetops]

Experts do clarify this, if you didn't know that your not an expert.

"I guess moving forward, experts should clarify that you should change your passwords to something totally different and unique on a regular basis, not just change them, period."

 

[mrtraver]

I've been saying this for years. Glad the experts finally agree!

 

[DAOWAce]

Not just that, but there could be flaws in encryption or backdoors or just new developments in security holes that allow access to data or data transfers (think wiretapping).

Someone who's information is already residing there encrypted and untouched could become compromised by being updated.

It's a dilemma. Do you risk leaving your password the same and being affected by a database breach, or do you update it and risk having your data sniffed?

Security is becoming a really big problem..