The downside to mandatory password changes

Q: Is requiring users to regularly change their passwords a good idea?

Passwords are often referred to as the weakest link in security by many cybersecurity professionals, primarily because of the human element.

Most systems require users to include upper and lower case letters, at least one number, and in some cases, at least one special character.

Human behavior is very predictable by sophisticated hackers and when left to their own abilities, the average user will create weak passwords that are easy to break because it’s just not an intuitive process.

With this in mind, many researchers are suggesting that forcing users to regularly change their passwords, which is common in corporate settings, can actually encourage the creation of weaker passwords.

Creating strong passwords for each of your accounts is hard enough, so forcing users to regularly come up with new ones tends to create an environment where human nature takes over.

It makes technical sense

From a purely technical viewpoint, regularly changing passwords makes sense, as it renders compromised passwords useless, but it ignores the reality that humans are involved.

Several researchers have published studies over the years warning of the unintended consequences of regularly forced password changes and one of the more prominent figures to speak out on this common practice is the Chief Technologist for the FTC Lorrie Cranor.

Her FTC blog titled “Time to rethink mandatory password changes” points to a UNC research paper that showed users tend to use predictable patterns they call “transformations” (like just adding the next number) when regularly required to change passwords.

Cyber thieves know that this behavior is common and have been using password cracking tools that can guess the highest probability for new passwords based on old passwords that have been compromised.

This common human behavior can render the technical benefits of forced password changes useless because cracking the “new password” can actually be made easier over time through pattern recognition.

When you should change passwords

Large scale data compromises seem to be in the news just about every week, and whenever a company that you do business with has been compromised, you should immediately change your password.

Likewise, if your company knows that an outsider may have gained access to their network, forcing everyone to change their passwords is a no-brainer.

If you discover your computer has been infected with malware, especially since often times one infection can lead to many others, you should change your online passwords from another computer or after your computer has been disinfected as a precaution.

Better security measures

Since data breaches and malware are a fact of life these days, assuming that your password is going to be compromised at some point is a good strategy.

Activating two-factor authentication or login approvals (How to setup password fraud alerts) on all of your online accounts provides you with an extra layer of protection when the inevitable occurs.

Virtually every major online service offers this protection and it’s far more effective than regularly changing your passwords because it prevents thieves from gaining access even if they do steal your passwords.