Passwords are incredibly important, which is why almost EVERYTHING you access requires them. They are the first line of defense to your data. Best practices for password creation tell us to include a combination of lower and upper case letters, numbers, and special symbols, and the more random, the better.
If you value your company’s security, you certainly have password rules for your staff, including regularly scheduled password changes. However, requiring frequent password changes can dilute your network security instead of strengthening it. The folks at Wired.com explain the details.
As FTC Chief Technologist—and Carnegie Mellon computer science professor—Lorrie Cranor recently outlined*, the weight of recent research agrees that when people are forced to change their passwords on the regular, they don’t put a whole lot of mental muscle behind it. Instead, Cranor notes, according to one UNC study, people “tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Admit it, that sounds familiar, even to you IT specialists, right? If not, you are a password hero worthy of praise and emulation. For the rest of us though, it’s an all too familiar way to survive the regularly scheduled slog. It’s also perfectly understandable given how our brains work.
“I understand [password security], I care about it, and I still find it really difficult to have to create a new password,” Cranor tells WIRED. “What we’re asking people to do is to come up with something that’s unpredictable. By definition, something that’s new and crazy and unpredictable is going to be hard for me to remember, and maybe even come up with in the first place.”
Still, we shouldn’t not do the right thing just because it’s hard, you might say. Fair enough! Unfortunately, changing passwords every 60 or 90 days isn’t even necessarily the right thing when those passwords are strong, according to recent research out of Carleton University. If we all excelled at switching up our digital deterrents, it wouldn’t actually help all that much.
“Today, attackers who have access to the hashed password file can perform offline attacks and guess large numbers of passwords,” Cranor writes for the FTC. “The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit—probably not enough to offset the inconvenience to users.”
That’s right! Even following the frequent password change protocol correctly doesn’t do a whole lot of good.
That doesn’t necessarily mean never changing passwords at all. “With a strong password, there is little to be gained from having to change it every few months,” says password security expert and author of Perfect Passwords Mark Burnett. “Six months to a year will result in a better experience for users and allow for stronger passwords.” Just imagine the sanity gained by going a whole year without a single password-change prompt. Think of the morale boost alone!
* To read the full FTC report, click here.
If your network security is important to you, consider bringing in a trusted partner to ensure your data is locked up tight, like Great Lakes Computer.