Can Changing Your Passwords Too Often Backfire?
If it means you use dumb passwords, the answer may be “yes”
How many times have you sat in front of your computer trying to come up with yet another password iteration? You changed it three months ago. Now your company wants you to change it again. So you tack on “1” to what you used before, or add “spring” in front of it.
A password-related study from the University of North Carolina at Chapel Hill gathered more than 10,000 defunct accounts from students, faculty and staff who were required to reset their passwords every three months. Then they tried to hack into the accounts using password cracking tools.
Related: What Is Two-Factor Authentication?
The researchers were able to crack about 60 percent of the passwords — and those frequent required changes may have made it easier.
“I have heard from many users that they include the month (and sometimes year) of the password change in their passwords as an easy way to remember frequently changed passwords,” wrote Lorrie Cranor, FTC Chief Technologist, on a blog post.
The research confirmed users kept using variations of old passwords, such as adding a number, changing a letter to similar-looking symbol (e.g. S vs. $), adding or deleting a special character or switching the order of the digits.
Cranor asks, based on this research, whether we should rethink mandatory password changes and update the current security advice. “What was reasonable in 2006 may not be reasonable in 2016,” she wrote.
If an attacker already knows your password, there’s a very good chance he or she can guess your next one in less than five attempts, according to the UNC researchers.
Related research from Carleton University shows frequent password changes hamper hackers for just a little while. And by changing your password often, you essentially give the hackers more opportunities to guess it correctly.
Cranor advises companies to “weigh the costs and benefits of mandatory password expiration and consider making other changes to their password policies rather than forcing all users to keep changing their passwords.”
One good reason to reset your password: You think it’s been compromised. Change your passwords on all accounts that use the same or similar password, advises Cranor. When in doubt, follow your gut and change it.
When you do change it, make sure to choose a combination unrelated to your old password.
Weak passwords may be less of an issue in the future as more workplaces begin to use two-factor authentication (2FA), says Maarten Bron, director of innovations in the transaction security division at UL.
“Security specialists often refer to password authentication as so-called single factor authentication: a single factor — something the user knows — is used to authenticate him or her,” says Bron. “A more secure approach to authentication is two-factor authentication, abbreviated as 2FA.
“A debit card payment for instance is authenticated with two factors: something the user knows (his PIN) and something the user has (the debit card itself). Many apps and websites nowadays also offer 2FA as a more secure way of logging in. The second factor is a code sent either through SMS or generated by a special authenticator app. Even if your password gets compromised, fraudsters cannot get access to your account.
“The use of fingerprint technology in smartphones is also an example of secure 2FA authentication. Consumers will benefit from the ease of fingerprint scanning combined with the security of 2FA account access,” Bron says.
Like this article? Share it with friends by clicking the Facebook or Twitter button below. And don't forget to visit our Facebook page!