Carnegie Mellon university professor reveals why enforced password changes are a security risk

Cybersecurity experts often tell internet users to create strong and unique passwords to help protect important online accounts from hackers.

However, in the face of widespread common practice, many security experts and academics are now producing mounting evidence that mandatory password changes – still enforced by many large firms and government departments - are not only counterproductive, but a potential cybersecurity risk.

In theory, the idea is simple. Mandatory password changes are enforced so that any compromised passwords are regularly cleansed – therefore becoming useless to any hacker who previously had access. Yet according to Carnegie Mellon University professor Lorrie Cranor, who is also chief technologist at the US Federal Trade Commission (FTC), research suggests a forced change achieves little.

It came as a surprise to Cranor, then, when the FTC itself issued an official tweet that said quite the opposite. "Encourage your loved ones to change passwords often, making them long, strong, and unique," the agency wrote on 27 January this year.

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas, as reported by Ars Technica. "I went to the social media people and asked them that and they said, 'well, it must be good advice because at the FTC we change our passwords every 60 days."

As she quickly told the chief technical officer of the FTC, academic analysis suggests otherwise. In one 2010 study conducted by researchers with the University of North Carolina (UNC), based on over 10,000 expired accounts from former staff and students, common patterns emerged when it was analysed how users actually changed their credentials.

Often, the research found, passwords would not be made stronger with each change. Instead, letters would be slightly changed to symbols (S to $ for example) and that only small incremental alterations would be made each time. Using sophisticated computer algorithms, the researchers were able to predict changes – dubbed 'transformations' - with ease.

In her stance on password changes, Cranor is not alone. Most recently, CESG the information arm of UK spy agency GCHQ issued formal advice that said hackers are increasingly likely to target this weakness to break into email accounts.

"CESG now recommend organisations do not force regular password expiry," it said. "We believe this reduces the vulnerabilities associated with regularly expiring passwords while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a 'weaker' one that they won't forget."

'Counterproductive'

In a detailed blog post, Cranor noted that "what was reasonable in 2006 may not be reasonable in 2016." She wrote: "While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive."

Of course, that's not to say you should never change a password. Reasonable times to make a new password includes if you believe an account has been breached, if you have another account that uses similar credentials or if you have ever shared the information with a friend.

"If it will make you feel better or if you just feel like it's time for a change, then by all means go ahead and change your password," Cranor said. "Regardless of why you are changing your password, choose a new password unrelated to the old one and don't reuse a password from another account."

She added: "Often, they tell me their passwords and ask me how strong they are. But my favourite question about passwords is 'how often should people change their passwords?' My answer usually surprises the audience: not as often as you might think."