Change Your Password Once, Not Often

Password entryI got in the habit of changing my password often when I started using UNIX back in the late 1970s. Everyone said, it was “the thing to do,” and I believed it. Security pros are saying something different now, and it is important to look at why.

Lorrie Cranor, Chief Technologist of the US Federal Trade Commission (among other titles), and a well-respected member of the cyber security community posted an article on the FTC blog entitled “Time to rethink mandatory password changes.” Her reasoning and recommendations are sound and research-based. It’s time for a change in how we approach passwords.

When I teach Learning Tree’s System and Network Security Introduction, I ask participants how often they are mandated to change their passwords. Responses range from 14 – 90 days, usually. I tell them a story, of working on a system many years ago, where I was required to change my password every week. I also try to explain to them why companies and agencies require those changes. Part of that explanation is the mythology that it makes passwords somehow “safer.” I’ll mention a better reason below.

Part of the reason I agree with Cranor’s reasoning has to do with complexity, if people are required to change their passwords regularly, the changes will usually be simple updated to the current one, or a “base” password. For instance, they’ll change “$mypassword7” to “$mypassword8” or something similar. She has research to back that up, too. If one uses a complex password (likely kept in password vault) and isn’t required to change it often, it can be quite complex and difficult to guess, making it a better credential. Long, complex passwords are difficult to guess and may take a long time to discover, even if a stored hash of the password is available.

Bruce Schneier said the same thing back in 2010. He even discusses when it is reasonable to change passwords and when it isn’t. Definitely change your password if it has been compromised.

Forced password changing is a good defense against shoulder-surfing and other password capture schemes. The idea is that frequent changes mean the compromised password wouldn’t be valid for a long time. That doesn’t appear to be the same kind of issue it might have been decades ago. Today, though, bad guys might steal thousands of passwords and sell them or use them to raid bank accounts. It is a different ball game.

Your assignment for today is to change your passwords. But change them to complex, random passwords and store them in a password vault (sometimes called a “password manager”). And let the appropriate folks know about Cranor’s article linked above.

How often are you required to change your password? Do you use complex ones (different complex ones for each site, of course) and store them in a password vault? Or do you use a biometric or another type of credential? Let us know in the comments below.

To your safe computing,
John McDermott

Type to search

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.