Time To Re-Think Mandatory Password Changes?
Aging, in an attempt to be security-focused policy, could have unintended consequences which put data at risk.
A new blog post by the Federal Trade Commission’s Chief Technologist offers new research and insight on a subject our Managing Partner Dan Hadaway originally brought up all the way back in 2009*: the unintended consequences of mandatory routine password changes.
While it is a common industry practice to require users to change their passwords on a regular basis–usually every 90 days but sometimes as frequently as every 30–in practice this can cause users to select weaker passwords that are easier to remember even as they change, and are equally easy to guess if someone has found one of the previous passwords.
This was the conclusion of a study published by researchers at UNC Chapel Hill which went on to find that if a previous password was known for a site which required regular changes that the new password could be found for 41% of accounts within only three seconds’ work from a password cracking application.
In addition, the study found that users who had to perform frequent password updates were more inclined to use weaker passwords to begin with and they were more likely to write those passwords down–both things which can compromise security and negate the perceived benefits of regular password changes.
The study author concludes by saying that while there may be some justification for such policies in some situations, in others passwords should be changed only when there was reason to: if there was a suspicion the password may have been compromised, if the password had to be given to a friend or a phishing attack was suspected.
Regardless of whether such policies are changed as a result of this study, it is important to be aware that they may not confer as many benefits as has been accepted as common knowledge in the past.
*(Note, the Dan’s New Leaf article we linked to was a re-post of the original article, The Password Manifesto, published in several bank trade magazines in late 2008.)
Original article by Lorrie Cranor, Chief Technologist at the Federal Trade Commission.