The FBI took to twitter on 25 November to caution holiday shoppers to stay safe online by frequently changing passwords, a practice that has previously been deemed by security experts as doing more harm than good. Given the alarming rise of cybercrime in the recent past and the growing concerns among the American population about cyberthreats, especially in the wake of the US elections, law enforcement authorities have taken to increasing awareness among people about the cyberspace.
However, it is unclear if the FBI's advice on frequent password changes could be helpful for users. In May, the British intelligence agency, GHCQ issued out a public recommendation, requesting users to stop changing passwords repeatedly. The agency warned that this could lead to users adopting unsafe practices such writing down passwords to ensure forgetfulness doesn't impact their ability to access accounts.
"I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told Motherboard. "While I don't who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI."
Academic research into this practice has also revealed that frequent password resets do not necessarily lead to users ending up with stronger or more secure passwords with each change. Instead, experts believe people are more likely to change a few letters or numbers, in efforts to remember their passwords, which motivated hackers could still potentially access via various techniques and tools.
Experts instead advice users to incorporate two-factor authentication, which prevents attackers from gaining access to user accounts, in the event that passwords are stolen and use password managers that generate unique and strong passwords for each user account.