Ask virtually anyone about best practices as it relates to passwords and, among other tips, you’ll hear repeatedly that it’s a good idea to change your passwords on a regular basis. According to Federal Trade Commission Chief Technologist Lorrie Cranor, however, the latter suggestion may not always be a good idea.
During a recent speaking engagement at the BSides security conference in Las Vegas, Cranor said that when she left Carnegie Mellon University to work for the FTC, she became the owner of six government passwords which she was required to change every 60 days.
She promptly told her FTC superiors that changing passwords on a frequent basis can lead to weaker security. How so, you ask?
Cranor points to a 2010 study from the University of North Carolina at Chapel Hill which looked at 10,000 expired university accounts. The account holders had been required to change their passwords every three months and rather than come up with a new, entirely random password each time, users would often just make minimal changes to their existing password so they’d be able to remember it easier.
For example, a password like “Techspot#1” (not including the quotes) frequently transitioned into “tEchspot#1” then “teChspo#1” and so on with each subsequent change. Researchers also noticed that digits would simply be added or incremented with each update.
Armed with this data, researchers developed an algorithm that was able to correctly guess a password 17 percent of the time in fewer than five attempts when simulating an online system that would lock a user out after multiple failed attempts. In a simulated “offline” attack with fast computers, 41 percent of passwords were cracked in less than three seconds.
I guess moving forward, experts should clarify that you should change your passwords to something totally different and unique on a regular basis, not just change them, period.
Image courtesy Ruslan Grumble, Shutterstock