March 14, 2016 By Larry Loeb 2 min read

The chief technologist of the Federal Trade Commission (FTC), Lorrie Cranor, would like to talk to IT managers about passwords. It seems, she said, that “what was reasonable in 2006 may not be reasonable in 2016.”

That is certainly true of many things in IT, but it may be particularly relevant for passwords. Cranor has published research on this and related topics in the past, but the latest information on password requirements could come as a surprise to many.

The Problem With Password Strength

Cranor found that when people are forced by IT policy to change passwords on a regular basis, they don’t put a lot of cognitive effort into choosing the new ones. She concluded that “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” she said.

She noted that even if a password is compromised, just changing it does not guarantee security. The security problems that allowed the compromise to occur in the first place would be unaffected by just a simple password change; a new password won’t fix the problem.

Research Studies

One of the studies Cranor recommended was performed by the University of North Carolina, titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.”

Completed in 2010, researchers found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed by applying a cracking approach called transformation. Once an attacker realizes a user is applying a transformation to change the password, that attacker has a good chance of being able to crack the password every time it changes.

This makes sense: If a user changes one letter to refresh a password when required, attackers will assume the user will continue to use the same transformation method no matter how many password changes occur. This routine transformation approach is why Cranor said new passwords will end up like the old passwords.

She also cited a National Institute of Standards and Technology (NIST) publication from 2009 on enterprise password management. NIST emphasized that other aspects of password policies — password strength, for example — may have bigger benefits than mandatory expiration.

What’s the Answer?

What does Cranor end up recommending for passwords? Simply put, don’t depend on strong passwords alone to protect sensitive information. She likes the use of multifactor authentication as a better method of gaining security. Other major vendors such as Amazon agree with that approach.

In short, Cranor seems fairly certain that forcing regular password changes alone won’t cut the security mustard anymore.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today