Changing your password regularly is a terrible idea, and here's why

starbuck

Malware Removal Specialist - Administrator
In Memory
Joined
Jul 16, 2014
Messages
1,147
Location
Midlands, England
a45ca77af0f9046c94b1fd7bae12fe92.jpg


Making users change their passwords frequently could actually make systems less secure, the UK's information security agency has warned.

Most administrators force users to change their password at regular intervals -- every 30, 60, or 90 days, for example.
But this carries no real benefits as stolen passwords are generally exploited immediately, said CESG, the IT security arm of surveillance agency GCHQ.

In a post explaining the thinking behind its recommendation that organisations should stop forcing users to frequently change their passwords, CESG said that we are all suffering from password overload: most password policies force us to use passwords that we find hard to remember, that are as long as possible, and as 'random' as possible.

"And while we can manage this for a handful of passwords, we can't do this for the dozens of passwords we now use in our online lives," it said.

If users are forced to change passwords they will mostly choose something that is a slight variation on the original one, or one that they have used elsewhere, or a weaker one.
These behaviours can be exploited, CESG said: attackers can often work out the new password, if they have the old one.

Regularly changed passwords are more likely to be written down (another vulnerability) or forgotten, which means lost productivity for users and a pain for the help desk that has to reset it.

"It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn't, it turns out, stand up to a rigorous, whole-system analysis." CESG said.

Not forcing regular password expiry reduces the vulnerabilities associated with regularly expiring passwords while doing little to increase the risk of long-term password exploitation, CESG added.

According to CESG, the use of compromised passwords is better combated by monitoring logins to detect unusual use and notifying users with details of logins, so that they can report any for which they were not responsible.

CESG is not alone in calling for the end of expiring passwords.
Lorrie Cranor, chief technologist at the Federal Trade Commission, made a similar point recently when she said: "Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely."


Source:
http://www.zdnet.com/article/changing-your-password-regularly-is-a-terrible-idea-and-heres-why/


I can actually see the reasoning behind this.
 
This is something I have long believed is true and have complained about it often to those sites that demand it, but rarely is ever anything done. In fact, in most cases, the reply is clearly canned. So sadly, I don't believe much will come of this.

I do believe in strong passwords with mix cased, alpha-numeric and special characters. But some sites don't even allow special characters - which I think is silly. I also believe it is best to have a unique password for every site - but I don't follow my own advice there. :blush:
 
I have never felt comfortable letting a browser keep my passwords safe. So I never let them. I do, however, use a password safe so I only have to remember one master password - which is good because I have over 400 entries in it!
 
Back
Top