Do we all really need to keep changing our passwords?

The chief technologist at the FTC says frequent password can actually harm security, but some security administrators are still pushing back. 

|
Pawel Kopczynski/Reuters/File
File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin May 21, 2013. The chief technologist at the FTC says frequent password can actually harm security, but some security administrators are still pushing back.

For the seventh time this year, the almost automatic process of logging into the work computer is interrupted by a dialogue box reminder. It's time to think of yet another new password. 

It's complicated. It's annoying. And according to Lorrie Faith Cranor, a password researcher and the Federal Trade Commission's (FTC) chief technologist, it is also unnecessary. 

"It became more and more clear that requiring frequent password changes generally wasn’t helping security and was really annoying users, leading them to less secure behavior," Ms. Cranor tells The Christian Science Monitor in a telephone interview. 

This was not her first opposition to password expiration, nor is she the first to question its effectiveness, but coming from someone in her position, it could herald a small shift in password policy. 

"It’s still in the category of [being] a somewhat radical idea just because so many organizations are still refusing to change,” she says.

Requiring new passwords regularly is a common practice, but not one backed up by security research, Ms. Cranor noted in blog post contributed to the Monitor's Passcode in March.

"Today, unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases," she wrote. "And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems."

For at least 15 years, "People have been saying it, but the people who have been in charge of making password policies for the most part haven’t been listening," Cranor says.

She described the FTC's reaction to her "radical idea" in a keynote for the BSides security conference in Las Vegas, ArsTechnica reported.

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?' I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days.' "

FTC security officials wanted back-up research, and she directed them to a 2010 study from the University of North Carolina-Chapel Hill. Researchers analyzed nearly 8,000 old password strings from university accounts and tested their strength against common hacking methods. They found that users who were pestered by constant requests for password changes tended to make only slight "transformations," leaving weak passwords weak and susceptible to hacking. 

Although some security professionals have written to Cranor since she began speaking, often with compliments on an idea they have had for years, others were confused about whether they should ever change their password. 

In reality, it is only the requirement to frequently change passwords that these researchers are speaking out against. If a particular password has been shared or somehow compromised, it must be changed, as the Passcode contributors have written in detail. And if a given organization requires users to share their passwords frequently, then administrators may be wise to ask regularly for an updated password.

The idea has some support internationally, as a study from Carleton University in Ottowa, Canada, found the benefits of required password changes "relatively minor at best, and questionable in light of overall costs." The information security authority for the British government released a new advisory against it in its 2015 password guidance, providing further explanation in April.

Pushback remains, however. Many organizations have stopped requiring the frequent password changes, but others have rejected the new idea, saying that removing password expiration risks failing a security audit.

"Until there’s a security standard that says it’s OK not to change passwords all the time, I think some organizations are not going to be comfortable with it," Cranor says.

[Editor's note: This article has been updated to correct the name of the University of North Carolina-Chapel Hill.]​

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Do we all really need to keep changing our passwords?
Read this article in
https://www.csmonitor.com/Technology/2016/0809/Do-we-all-really-need-to-keep-changing-our-passwords
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe