The chief technologist of the Federal Trade Commission (FTC), Lorrie Cranor, would like to talk to IT managers about passwords. It seems, she said, that “what was reasonable in 2006 may not be reasonable in 2016.”
That is certainly true of many things in IT, but it may be particularly relevant for passwords. Cranor has published research on this and related topics in the past, but the latest information on password requirements could come as a surprise to many.
The Problem With Password Strength
Cranor found that when people are forced by IT policy to change passwords on a regular basis, they don’t put a lot of cognitive effort into choosing the new ones. She concluded that “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.
“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” she said.
She noted that even if a password is compromised, just changing it does not guarantee security. The security problems that allowed the compromise to occur in the first place would be unaffected by just a simple password change; a new password won’t fix the problem.
One of the studies Cranor recommended was performed by the University of North Carolina, titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.”
Completed in 2010, researchers found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed by applying a cracking approach called transformation. Once an attacker realizes a user is applying a transformation to change the password, that attacker has a good chance of being able to crack the password every time it changes.
This makes sense: If a user changes one letter to refresh a password when required, attackers will assume the user will continue to use the same transformation method no matter how many password changes occur. This routine transformation approach is why Cranor said new passwords will end up like the old passwords.
She also cited a National Institute of Standards and Technology (NIST) publication from 2009 on enterprise password management. NIST emphasized that other aspects of password policies — password strength, for example — may have bigger benefits than mandatory expiration.
What’s the Answer?
What does Cranor end up recommending for passwords? Simply put, don’t depend on strong passwords alone to protect sensitive information. She likes the use of multifactor authentication as a better method of gaining security. Other major vendors such as Amazon agree with that approach.
In short, Cranor seems fairly certain that forcing regular password changes alone won’t cut the security mustard anymore.