Oldest Rule Of Passwords Debunked

Published: Wed, 10 Aug 2016

Since the beginning of time you've been told to change your passwords on a regular basis.  In fact, your school or workplace probably requires it. It's a widely-implemented security recommendation, but apparently it is totally wrong.

The Federal Trade Commission's chief technologist, Lorrie Cranor, busted that myth recently at a security conference in Las Vegas.  It turns out that requiring periodic password changes could end up making your password less secure. The reason is that when most people are required to change their password, they end up using their old password, but they make a small change.

"UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," Cranor said, according to Ars Technica. "They take their old passwords, they change it in some small way, and they come up with a new password."  Cranor is citing UNC research from 2010 that looked at a dataset of 7700 accounts that were required to change their passwords regularly.  Security expert Bruce Schneier agrees. "I've been saying for years that it's bad security advice, that it encourages poor passwords," he wrote on Friday.  

That doesn't mean it's never a good idea to change your password. If your password is part of a major breach, like the one that struck LinkedIn, and you reuse it on other sites (which you shouldn't) then of course you should change it.  Schneier has good advice regarding picking strong passwords and this webcomic suggests a easy-to-remember system. 

Subscribe for Blog Updates

Post Comments
All Comments