Skip to main content

FTC flouts conventional wisdom, says changing passwords often can do harm

Conventional wisdom takes another hit. For more than 30 years, one of the most common computer security tips has been to change your passwords often. Make them complex, don’t use the same ones over and over, don’t write them on sticky notes pasted to your monitor, and change them regularly. The FTC wants you to forget that last piece of advice, according to Ars Technica.

Speaking at PasswordsCon 2016 last week, Federal Trade Commission Chief Technologist Lorrie Cranor spoke about her own surprise when she left Carnegie Mellon University to work at the FTC. Cranor discovered that not only did the agency tell employees to encourage friends and family to change passwords often, she herself now had six new government passwords that she was required to change every 60 days.

Recommended Videos

Cranor told FTC information and security officers that changing passwords often can lead to weaker security because users make predictable changes hackers can detect with algorithms. Asked for proof of this unexpected assertion, Cranor got it.

In 2010, researchers from the University of North Carolina at Chapel Hill studied 10,000 expired university accounts for which they were able to trace password history. The account holders had been required to change passwords every three months. Most commonly, the users made only minimal changes to their passwords, using detectable patterns. For example, a user might progressively capitalize one letter in a password, advancing to the next letter with each change, for example, “Pumpkin77!,””pUmpkin77!,” and “puMpkin77!.” Another common pattern was to increase a digit when changing, such as “Pumpkin1!,” “Pumpkin2!,” and “Pumpkin3!.” The researchers developed algorithms that could crack accounts before lockout 17 percent of the time.

Additional studies from Canada’s Carleton University, the National Institute of Standards and Technology, and the U.K.’s CESG (Communications-Electronics Security Group) all showed that frequent and mandated password changes inconvenienced users to the point that the users created detectable passwords. In other words, conventional wisdom backfired.

Cranor reported that as a result of her research, the FTC is gradually changing internal procedures away from required password changes.

The advice to change passwords makes sense if all users create long, complex passwords with, for example, more special characters than letters or digits. Most people, however, take the easier route and use easy to remember passwords and change them when required in detectable patterns.

Bruce Brown
Bruce Brown Contributing Editor   As a Contributing Editor to the Auto teams at Digital Trends and TheManual.com, Bruce…
The robot takeover comes another step closer — at Amazon
An Amazon robot working inside one of the company's warehouses.

Amazon is close to having more robots operating inside its warehouses than humans after the e-commerce giant announced this week that it now has more than a million robots working at its facilities around the world.

Over the years, Amazon has spent billions of dollars on the development and deployment of warehouse-based robots, which handle an array of tasks once performed by human workers.

Read more
This Lenovo ThinkPad laptop is over $1,400 off — hurry while stocks last!
The Lenovo ThinkPad T14 Gen 5 Intel laptop on a white background.

Now's an excellent time to take advantage of laptop deals from Lenovo, which has slashed the prices of a wide range of devices for its Black Friday in July sale. Lenovo's ThinkPad laptops are up to 45% off, and here's one of the most interesting offers available with such a discount — the Lenovo ThinkPad T14 Gen 5 at $1,440 off its estimated value of $3,199, so you'll only have to pay $1,759. That's an excellent price for this fantastic productivity tool, but you're going to have to push forward with your purchase as soon as possible because stocks may run out at any moment.

BUY NOW

Read more
Early Prime Day deal: Samsung’s 27-inch Odyssey G3 at its annual low price
Samsung Odyssey G3 gaming monitor on desk with keyboard and headset.

If you're ready to upgrade your monitor, this Samsung deal over at Amazon just might be your best bet. The 27-inch version of Samsung's Odyssey G3 is $130 right now, a full $100 off its regular $230 price and its lowest price of the year. It's a part of early Prime Day deals and a good sampling of what we can expect for the shopping holiday, which officially lands on July 8th. Tap the button below to see it for yourself or keep reading to see why we like this deal and why this should be your next monitor.

Buy Now

Read more