Lorrie Cranor, the Chief Technologist at the Federal Trade Commission, has published new research showing that mandatory password changes may not be a very effective password policy for organizations.
In fact, Cranor concludes that unless you feel that your password has been compromised or shared, “requiring regular password changes may actually do more harm than good in some cases.”
How Mandatory Password Changes Can Be Ineffective
One study Cranor references is “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.” In 2010, researchers at the University of North Carolina found that users tend to create passwords that follow predictable patterns when they are forced to periodically change their password. These patterns are commonly known as “transformations.”
Methods that fall under this pattern of password creation include:
- Adding a series of numbers
- Changing a letter to similar-looking symbols (such as changing an A to @)
- Adding or deleting a special character (such as adding an additional exclamation point at the end)
- Switching the order of digits or special characters (such as moving a number from the beginning to the end)
After making this discovery, the researchers trained their password-cracking algorithm to apply the most likely transformations. They found that for 17% of the accounts they studied, they were able to guess their next password in fewer than 5 guesses if they knew a user’s previous password.
They also found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed when applying their transformation-cracking method. This means that if a user only uses transformation when changing their password, an attacker who knows the previous password has a very good chance of guessing the new password every time the user changes it.
When Should You Change Your Password?
Still, Cranor gives plenty of instances when changing your password is a good idea. Some instances include:
- You think your password has been stolen.
- You shared it with someone.
- You think you gave it to a phishing scam.
- Your current password is weak.
All of these are good reasons to change your password. So, it’s not that changing your password is a bad security measure; it’s more that mandatory password changes have the tendency to lead users to make ineffective changes.
What’s the Better Solution?
The National Institute of Standards and Technology (NIST) suggested in a 2009 publication that other password policies may have greater benefits than mandatory expiration, such as requirements for password length and complexity. Multi-factor authentication is another password policy that has shown to provide additional security.
According to Cranor, it would seem that forcing users to change their passwords is not a particularly effective password policy. Just remember that if you do change your password, you ought to change the password on all of your accounts that use that password. And make sure that it’s something completely different from your old one. For more on password security, read our post How to Create a Secure Password.