Skip to main content
  1. Home
  2. Computing
  3. News

FTC flouts conventional wisdom, says changing passwords often can do harm

Bruce Brown
By

Hacker
hamburg_berlin/Shutterstock
Conventional wisdom takes another hit. For more than 30 years, one of the most common computer security tips has been to change your passwords often. Make them complex, don’t use the same ones over and over, don’t write them on sticky notes pasted to your monitor, and change them regularly. The FTC wants you to forget that last piece of advice, according to Ars Technica.

Speaking at PasswordsCon 2016 last week, Federal Trade Commission Chief Technologist Lorrie Cranor spoke about her own surprise when she left Carnegie Mellon University to work at the FTC. Cranor discovered that not only did the agency tell employees to encourage friends and family to change passwords often, she herself now had six new government passwords that she was required to change every 60 days.

Cranor told FTC information and security officers that changing passwords often can lead to weaker security because users make predictable changes hackers can detect with algorithms. Asked for proof of this unexpected assertion, Cranor got it.

In 2010, researchers from the University of North Carolina at Chapel Hill studied 10,000 expired university accounts for which they were able to trace password history. The account holders had been required to change passwords every three months. Most commonly, the users made only minimal changes to their passwords, using detectable patterns. For example, a user might progressively capitalize one letter in a password, advancing to the next letter with each change, for example, “Pumpkin77!,””pUmpkin77!,” and “puMpkin77!.” Another common pattern was to increase a digit when changing, such as “Pumpkin1!,” “Pumpkin2!,” and “Pumpkin3!.” The researchers developed algorithms that could crack accounts before lockout 17 percent of the time.

Additional studies from Canada’s Carleton University, the National Institute of Standards and Technology, and the U.K.’s CESG (Communications-Electronics Security Group) all showed that frequent and mandated password changes inconvenienced users to the point that the users created detectable passwords. In other words, conventional wisdom backfired.

Cranor reported that as a result of her research, the FTC is gradually changing internal procedures away from required password changes.

The advice to change passwords makes sense if all users create long, complex passwords with, for example, more special characters than letters or digits. Most people, however, take the easier route and use easy to remember passwords and change them when required in detectable patterns.

Editors' Recommendations

The M1 has a major security loophole that Apple can’t patch

Apple M1 processor on a mainboard.

AMD Ryzen 7000 can draw almost as much power as Intel

AMD Ryzen 7000 processor being installed inside a MSI motherboard.

Big tech firms are teaming up to banish passwords for good

Silhouette of male hand typing on laptop keyboard at night.

What is a Raspberry Pi and what can I do with it in 2022?

Raspberry Pi computer.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

Best Walmart TV deals for July 2022

lg 55 inch oled 4k tvs deal walmart class b8 tv

The best new shows to stream on Netflix, Hulu, HBO, and more

Two characters from Westworld season 4 walking at a party.

Best QLED TV Deals: Get a 55-inch for $340

55 inch samsung uhd 7 series q60 qled 4k tvs amazon deal 49 tv 720x720

Best Headphone Deals: Beats, Bose and Sony from $150

A woman wearing the Apple AirPods Max.

Best OLED TV deals for July 2022: LG and Sony

55 inch lg um7300 uhd 4k tv b9 oled c9 amazon discounts 2 4 768x768

Best new movies to stream on Netflix, Hulu, Prime, HBO, and more

The cast of Disney Plus's Rise.

Best Projector Deals: Save on Nebula, LG, and more

BenQ TK800 Projector Review

Best TV Deals for July 2022

Vizio OLED TV