Skip to main content

FTC flouts conventional wisdom, says changing passwords often can do harm

Conventional wisdom takes another hit. For more than 30 years, one of the most common computer security tips has been to change your passwords often. Make them complex, don’t use the same ones over and over, don’t write them on sticky notes pasted to your monitor, and change them regularly. The FTC wants you to forget that last piece of advice, according to Ars Technica.

Speaking at PasswordsCon 2016 last week, Federal Trade Commission Chief Technologist Lorrie Cranor spoke about her own surprise when she left Carnegie Mellon University to work at the FTC. Cranor discovered that not only did the agency tell employees to encourage friends and family to change passwords often, she herself now had six new government passwords that she was required to change every 60 days.

Cranor told FTC information and security officers that changing passwords often can lead to weaker security because users make predictable changes hackers can detect with algorithms. Asked for proof of this unexpected assertion, Cranor got it.

In 2010, researchers from the University of North Carolina at Chapel Hill studied 10,000 expired university accounts for which they were able to trace password history. The account holders had been required to change passwords every three months. Most commonly, the users made only minimal changes to their passwords, using detectable patterns. For example, a user might progressively capitalize one letter in a password, advancing to the next letter with each change, for example, “Pumpkin77!,””pUmpkin77!,” and “puMpkin77!.” Another common pattern was to increase a digit when changing, such as “Pumpkin1!,” “Pumpkin2!,” and “Pumpkin3!.” The researchers developed algorithms that could crack accounts before lockout 17 percent of the time.

Additional studies from Canada’s Carleton University, the National Institute of Standards and Technology, and the U.K.’s CESG (Communications-Electronics Security Group) all showed that frequent and mandated password changes inconvenienced users to the point that the users created detectable passwords. In other words, conventional wisdom backfired.

Cranor reported that as a result of her research, the FTC is gradually changing internal procedures away from required password changes.

The advice to change passwords makes sense if all users create long, complex passwords with, for example, more special characters than letters or digits. Most people, however, take the easier route and use easy to remember passwords and change them when required in detectable patterns.

Editors' Recommendations

Bruce Brown
Digital Trends Contributing Editor Bruce Brown is a member of the Smart Homes and Commerce teams. Bruce uses smart devices…
2016 was the year internet security died – so what can you do about it?
A user entering a password.

2016 is the year that made hacking feel routine. Talk of state-supported hackers, stolen emails, and compromised passwords has become so commonplace that it’s easy to lose perspective on how unprecedented all this really is.

A single phishing email compromised a major presidential campaign, and one of the United States’ two main political parties suffered a security intrusion that compromised hundreds of thousands of emails. Many of the world’s largest webmail providers were compromised this year, as well. There’s a good chance your password and login is floating around the internet, up for grabs, unprotected.

Read more
Do you have a leaky login? Study finds clear patterns in bad passwords
leaky password patterns pdg feature

We Americans make it pretty simple for hackers to break into our email accounts. A recent study of 50,000 leaked emails and passwords showed too many of us still take the easy -- and easy to guess -- route when choosing passwords, according to CBT Nuggets.

CBT Nuggets analyzed the leaked accounts for root words and easy-to-guess elements. Among other information, the analysis revealed the top 30 most leaked passwords, the total number of passwords leaked by name, age bracket, gender, and even state of residence. The percentage of people who use their own names in their passwords is an astounding 42.1 percent. I mean, come on. The email domains with the most leaked passwords may not surprise you, but the relationship between domains and passwords containing user names might.

Read more
Mooltipass Mini is a new physical password manager you can carry with you
mooltipass mini password manager dark

We’re still nowhere close to solving the password conundrum. Software solutions, such as password managers, have attempted to solve it by managing and encrypting all of your passwords with a master key. That’s convenient but, like all software, it isn’t a perfect solution but maybe hardware can help.

Mooltipass is a hardware gadget that physically stores your passwords. The Swiss startup has raised over $75,000 on its Kickstarter crowdfunding campaign to build its new iteration, the Mooltipass Mini, a palm-sized device that should make carrying your passwords even easier.

Read more