A mantra among those who regularly use the internet for most of anything goes a little something like this: “Change your password every few months/weeks to keep your accounts safe.” It seems simple and makes sense: with new, rotating passwords, it should be harder for information thieves the gain access to your private information. But the Federal Trade Commission’s Chief Technologist, Carnegie Mellon University’s Professor Lorrie Cranor, disagrees with this theory.
At last week’s BSides security conference in Las Vegas, Cranor elaborated on her point, which spawned after seeing the advice given out by the FTC itself. “I went to the social media people and asked them that,” Cranor explained. “They said, ‘Well, it must be good advice because at the FTC we change our passwords every 60 days’.” The misdirection was more than enough to set the alarm bells ringing in Cranor’s mind.
A password researcher by profession, Cranor said that the danger of changing passwords so often rests within the fact that changing passwords often leaves vulnerability when it comes to coming up with complex combinations for your account’s protection. Citing a study from the University of North Carolina at Chapel Hill that explored over 10,000 expired accounts for patterns: “The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” said Cranor. “They take their old passwords, they change it in some small way, and they come up with a new password.”
What’s more, the researchers were able to create a way to predict the patterns of passwords — an action not out of the ordinary when a script can be designed to do just that. Ultimately, the algorithm cracked 17 percent of the accounts in fewer than five attempts.
Cranor’s way of thinking is slowly making a difference, most recently at the FTC. “I’m happy to report that for two of my six government passwords, I don’t have to change them anymore,” she joked.