Changing your password regularly and forcing your employees to change theirs may make you feel more secure, but it does not make your accounts more secure, according to Federal Trade Commission (FTC) chief technologist Lorrie Cranor. Cranor challenged the common position, formerly held by the FTC, that frequent password updates are necessary to secure accounts, and won.
An internal discussion among executives at the FTC was set off by an agency tweet early this year, shortly after Cranor left Carnegie Mellon University to join the commission.
— FTC (@FTC) January 27, 2016
“The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor explained during a keynote speech at the BSides security conference, as quoted by Ars Technica. “They take their old passwords, they change it in some small way, and they come up with a new password.”
Using the observed transformations, the researchers developed an algorithm which cracked 17 percent of the passwords in under 5 attempts, and an offline attempt with superfast computers busted 41 percent of the passwords within three seconds.
The UNC research was published in 2010.
The U.K.’s Communications-Electronics Security Group (CESG) published an article in April expounding “The problems with forcing regular password expiry” advising against the practice. The NIST has also advised against forced regular password expiry (PDF), but since has also drawn on Office of Management and Budget (OMB) authentication guidelines to assert that single sign-on methods are appropriate only for “Level 2” (PDF) authentication risks, with multi-factor and other modern methods necessary for higher risk accounts and actions.
The FTC, and the U.S. government in general, are adapting, but slowly.
“I’m happy to report that for two of my six government passwords, I don’t have to change them anymore,” Cranor said. “We’re still working on the rest.”
IT professionals experiencing frustration with legacy attitudes about data and network security can find helpful resources, like this comic strip, to help make their case.