Skip to main content
  1. Home
  2. Computing
  3. News

FTC flouts conventional wisdom, says changing passwords often can do harm

Bruce Brown
By

Hacker
hamburg_berlin/Shutterstock
Conventional wisdom takes another hit. For more than 30 years, one of the most common computer security tips has been to change your passwords often. Make them complex, don’t use the same ones over and over, don’t write them on sticky notes pasted to your monitor, and change them regularly. The FTC wants you to forget that last piece of advice, according to Ars Technica.

Speaking at PasswordsCon 2016 last week, Federal Trade Commission Chief Technologist Lorrie Cranor spoke about her own surprise when she left Carnegie Mellon University to work at the FTC. Cranor discovered that not only did the agency tell employees to encourage friends and family to change passwords often, she herself now had six new government passwords that she was required to change every 60 days.

Recommended Videos

Cranor told FTC information and security officers that changing passwords often can lead to weaker security because users make predictable changes hackers can detect with algorithms. Asked for proof of this unexpected assertion, Cranor got it.

Related

In 2010, researchers from the University of North Carolina at Chapel Hill studied 10,000 expired university accounts for which they were able to trace password history. The account holders had been required to change passwords every three months. Most commonly, the users made only minimal changes to their passwords, using detectable patterns. For example, a user might progressively capitalize one letter in a password, advancing to the next letter with each change, for example, “Pumpkin77!,””pUmpkin77!,” and “puMpkin77!.” Another common pattern was to increase a digit when changing, such as “Pumpkin1!,” “Pumpkin2!,” and “Pumpkin3!.” The researchers developed algorithms that could crack accounts before lockout 17 percent of the time.

Additional studies from Canada’s Carleton University, the National Institute of Standards and Technology, and the U.K.’s CESG (Communications-Electronics Security Group) all showed that frequent and mandated password changes inconvenienced users to the point that the users created detectable passwords. In other words, conventional wisdom backfired.

Cranor reported that as a result of her research, the FTC is gradually changing internal procedures away from required password changes.

The advice to change passwords makes sense if all users create long, complex passwords with, for example, more special characters than letters or digits. Most people, however, take the easier route and use easy to remember passwords and change them when required in detectable patterns.

Editors' Recommendations

Topics
Bruce Brown
Bruce Brown
Contributing Editor
Digital Trends Contributing Editor Bruce Brown is a member of the Smart Homes and Commerce teams. Bruce uses smart devices…
It’s time to stop believing these PC building myths
Hyte's Thicc Q60 all-in-one liquid cooler.

As far as hobbies go, PC hardware is neither the cheapest nor the easiest one to get into. That's precisely why you may often run into various misconceptions and myths.

These myths have been circulating for so long now that many accept them as a universal truth, even though they're anything but. Below, I'll walk you through some PC beliefs that have been debunked over and over, and, yet, are still prevalent.
Liquid cooling is high-maintenance (and scary)

Read more
AMD’s next-gen CPUs are much closer than we thought
AMD Ryzen 7 7800X3D held between fingertips.

We already knew that AMD would launch its Zen 5 CPUs this year, but recent motherboard updates hint that a release is imminent. Both MSI and Asus have released updates for their 600-series motherboards that explicitly add support for "next-generation AMD Ryzen processors," setting the stage for AMD's next-gen CPUs.

This saga started a few days ago when hardware leaker 9550pro spotted an MSI BIOS update, which they shared on X (formerly Twitter). Since then, Asus has followed suit with BIOS updates of its own featuring a new AMD Generic Encapsulated Software Architecture (AGESA) -- the firmware responsible for starting the CPU -- that brings support for next-gen CPUs (spotted by VideoCardz).

Read more
AMD Zen 5: Everything we know about AMD’s next-gen CPUs
The AMD Ryzen 5 8600G APU installed in a motherboard.

AMD Zen 5 is the next-generation Ryzen CPU architecture for Team Red and is slated for a launch sometime in 2024. We've been hearing tantalizing rumors for a while now and promises of big leaps in performance. In short, Zen 5 could be very exciting indeed.

We don't have all the details, but what we're hearing is very promising. Here's what we know about Zen 5 so far.
Zen 5 release date and availability
AMD confirmed in January 2024 that it was on track to launch Zen 5 sometime in the "second half of the year." Considering the launch of Zen 4 was in September 2022, we would expect to see Zen 5 desktop processors debut around the same timeframe, possibly with an announcement in the summer at Computex.

Read more