Changing Passwords Periodically Doesn’t Increase Security

ByEmily Dolloff

Does your organization or some financial website require you to create a new password periodically? This practice was recommended long ago, but some organizations haven’t kept up with current recommendations that discourage such policies. If you’re bound by a password expiration policy, you can use this article to encourage your IT department or financial institution to update its approach to password security.

The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Over time, security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

Of course, if there’s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately—that’s entirely different than requiring passwords to be changed on a schedule.

Interestingly, NIST also doesn’t recommend password composition requirements—such as requiring the password to contain a letter, number, and special character—because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.

If you’re forced to change a website password periodically, it’s easiest to use a password manager to generate and enter a new strong password, and you won’t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.

(Featured image based on an original by iStock.com/designer491)

Social Media: Security experts no longer recommend password expiration policies that require users to change their passwords periodically. Here’s why.

Similar Posts

  • _Dear Friends,_

    Baseball season is almost upon us as spring training wraps up and the real games begin next week. The hopes for the Chicago Cubs have never been higher with a great line-up and pitching. Could this be our year? To help matters along, Apple and MLB announced this week that they have struck a multi-year deal to supply 12.9 inch iPad Pros with special STM team-logoed cases and a custom app called MLB Dugout. This app will help managers see performance statistics, check videos from games and analyze how pitchers and hitters are likely to perform against each other.

    Baseball has become a game of statistics and until this deal laptops, iPads and iPhones were banned from dugouts. That ban is gone as iPad Pros will replace the notebooks and photographs in big binders. Each team’s data will be downloaded to the iPads before the games. I can see this really speeding up the research about how to play a certain batter or what kind of stuff a pitcher has. Cubs manager, Joe Maddon, is not so sure “This might sound nuts to you, bit it might slow down the process. If there’s that moment that permits time to look up something, it might be OK, but I think thats where the piece of paper has it all over the computer–in that moment.” Well, Joe you are a hell of a manager but I’ll put the iPad Pro up against your binder any day! Fortunately, MLB didn’t ban paper so Joe is all set.

    I have talked many times about being a socially responsible business but this week we saw the power for good that businesses can use. While not yet successful in overturning the North Carolina law that legalizes discrimination against LGBT people, business pressure stopped a similar law in Georgia and the list of businesses lining up for repeal in NC is impressive. It was business that turned the tide when civil unions were first introduced in Vermont and it can be business again that dope-slaps some sense into these backwards legislatures, too.

    This week’s Kibbles & Bytes exclusive features the iPad mini 4 in Space Gray. This 64GB model features Wi-Fi and Cellular and comes with the AppleCare+ protection plan that increases the hardware warranty from 1 to 2 years, technical support from 90-days to 2-years and provides for accidental damage coverage. This is the latest iPad mini that features the Retina display. With 64GB of ram and cellular capability you will never be out of touch. Normally, this bundle is $730 but this week exclusively for Kibbles & Bytes readers you get the “**iPad mini 4 64GB Wi-Fi and Cellular with AppleCare+ for $50 off**”:http://www.smalldog.com/wag900002186 at “**$679.99!**”:http://www.smalldog.com/wag900002186/

  • Clean Your iPhone’s Camera Lens

    Serious photographers take care of their lenses. The rest of us just stuff our iPhones into our pockets or purses and pay no…