The chief technologist of the Federal Trade Commission (FTC), Lorrie Cranor, would like to talk to IT managers about passwords. It seems, she said, that “what was reasonable in 2006 may not be reasonable in 2016.”

That is certainly true of many things in IT, but it may be particularly relevant for passwords. Cranor has published research on this and related topics in the past, but the latest information on password requirements could come as a surprise to many.

The Problem With Password Strength

Cranor found that when people are forced by IT policy to change passwords on a regular basis, they don’t put a lot of cognitive effort into choosing the new ones. She concluded that “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” she said.

She noted that even if a password is compromised, just changing it does not guarantee security. The security problems that allowed the compromise to occur in the first place would be unaffected by just a simple password change; a new password won’t fix the problem.

Research Studies

One of the studies Cranor recommended was performed by the University of North Carolina, titled “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.”

Completed in 2010, researchers found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed by applying a cracking approach called transformation. Once an attacker realizes a user is applying a transformation to change the password, that attacker has a good chance of being able to crack the password every time it changes.

This makes sense: If a user changes one letter to refresh a password when required, attackers will assume the user will continue to use the same transformation method no matter how many password changes occur. This routine transformation approach is why Cranor said new passwords will end up like the old passwords.

She also cited a National Institute of Standards and Technology (NIST) publication from 2009 on enterprise password management. NIST emphasized that other aspects of password policies — password strength, for example — may have bigger benefits than mandatory expiration.

What’s the Answer?

What does Cranor end up recommending for passwords? Simply put, don’t depend on strong passwords alone to protect sensitive information. She likes the use of multifactor authentication as a better method of gaining security. Other major vendors such as Amazon agree with that approach.

In short, Cranor seems fairly certain that forcing regular password changes alone won’t cut the security mustard anymore.

More from

What to know about new generative AI tools for criminals

3 min read - Large language model (LLM)-based generative AI chatbots like OpenAI’s ChatGPT took the world by storm this year. ChatGPT became mainstream by making the power of artificial intelligence accessible to millions.The move inspired other companies (which had been working on comparable AI in labs for years) to introduce their own public LLM services, and thousands of tools based on these LLMs have emerged.Unfortunately, malicious hackers moved quickly to exploit these new AI resources, using ChatGPT itself to polish and produce phishing…

The importance of Infrastructure as Code (IaC) when Securing cloud environments

4 min read - According to the 2023 Thales Data Threat Report, 55% of organizations experiencing a data breach have reported “human error” as the primary cause. This is further compounded by organizations now facing attacks from increasingly sophisticated cyber criminals with a wide range of automated tools. As organizations move more of their operations to the cloud, they must also become increasingly aware of the security risks and threats that come with it. It’s not enough anymore to simply have a set of…

Data never dies: The immortal battle of data privacy

4 min read - More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile. Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere. When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights…

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution? Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task. In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each…