The chief technologist of the Federal Trade Commission (FTC), Lorrie Cranor, would like to talk to IT managers about passwords. It seems, she said, that “what was reasonable in 2006 may not be reasonable in 2016.”

That is certainly true of many things in IT, but it may be particularly relevant for passwords. Cranor has published research on this and related topics in the past, but the latest information on password requirements could come as a surprise to many.

The Problem With Password Strength

Cranor found that when people are forced by IT policy to change passwords on a regular basis, they don’t put a lot of cognitive effort into choosing the new ones. She concluded that “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” she said.

She noted that even if a password is compromised, just changing it does not guarantee security. The security problems that allowed the compromise to occur in the first place would be unaffected by just a simple password change; a new password won’t fix the problem.

Research Studies

One of the studies Cranor recommended was performed by the University of North Carolina, titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.”

Completed in 2010, researchers found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed by applying a cracking approach called transformation. Once an attacker realizes a user is applying a transformation to change the password, that attacker has a good chance of being able to crack the password every time it changes.

This makes sense: If a user changes one letter to refresh a password when required, attackers will assume the user will continue to use the same transformation method no matter how many password changes occur. This routine transformation approach is why Cranor said new passwords will end up like the old passwords.

She also cited a National Institute of Standards and Technology (NIST) publication from 2009 on enterprise password management. NIST emphasized that other aspects of password policies — password strength, for example — may have bigger benefits than mandatory expiration.

What’s the Answer?

What does Cranor end up recommending for passwords? Simply put, don’t depend on strong passwords alone to protect sensitive information. She likes the use of multifactor authentication as a better method of gaining security. Other major vendors such as Amazon agree with that approach.

In short, Cranor seems fairly certain that forcing regular password changes alone won’t cut the security mustard anymore.

More from

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…