March 14, 2016 By Larry Loeb 2 min read

The chief technologist of the Federal Trade Commission (FTC), Lorrie Cranor, would like to talk to IT managers about passwords. It seems, she said, that “what was reasonable in 2006 may not be reasonable in 2016.”

That is certainly true of many things in IT, but it may be particularly relevant for passwords. Cranor has published research on this and related topics in the past, but the latest information on password requirements could come as a surprise to many.

The Problem With Password Strength

Cranor found that when people are forced by IT policy to change passwords on a regular basis, they don’t put a lot of cognitive effort into choosing the new ones. She concluded that “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” she said.

She noted that even if a password is compromised, just changing it does not guarantee security. The security problems that allowed the compromise to occur in the first place would be unaffected by just a simple password change; a new password won’t fix the problem.

Research Studies

One of the studies Cranor recommended was performed by the University of North Carolina, titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.”

Completed in 2010, researchers found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed by applying a cracking approach called transformation. Once an attacker realizes a user is applying a transformation to change the password, that attacker has a good chance of being able to crack the password every time it changes.

This makes sense: If a user changes one letter to refresh a password when required, attackers will assume the user will continue to use the same transformation method no matter how many password changes occur. This routine transformation approach is why Cranor said new passwords will end up like the old passwords.

She also cited a National Institute of Standards and Technology (NIST) publication from 2009 on enterprise password management. NIST emphasized that other aspects of password policies — password strength, for example — may have bigger benefits than mandatory expiration.

What’s the Answer?

What does Cranor end up recommending for passwords? Simply put, don’t depend on strong passwords alone to protect sensitive information. She likes the use of multifactor authentication as a better method of gaining security. Other major vendors such as Amazon agree with that approach.

In short, Cranor seems fairly certain that forcing regular password changes alone won’t cut the security mustard anymore.

More from

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

How a new wave of deepfake-driven cybercrime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit.Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries.Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break into customer…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today