Security experts have been saying for decades that human weakness can trump the best technology.
Apparently, it can also trump conventional wisdom.
Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person’s, or an organization’s, security.
Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, “time to rethink mandatory password changes.”
She gave a keynote speech at the BSides security conference in Las Vegas earlier this month making the same point.
But the message was not new – she has been preaching it for some time. Cranor, who before her move to the FTC was a professor of computer science and of engineering and public policy at Carnegie Mellon University, gave a TED talk on it more than two years ago.
She contends that changing passwords frequently could do more harm than good. Not because new passwords, in and of themselves, would make it easier for attackers, but because of human nature.
ALSO ON CSO: The CSO password management survival guide
She cited research suggesting that, “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”
This, she said, was demonstrated more than six years ago in a 2009-2010 study at the University of North Carolina at Chapel Hill. Researchers, using passwords of more than 10,000 defunct accounts of former students, faculty and staff, found it much easier to crack new passwords if they had cracked an older one, since users tended create a new password with a minor tweak of the old one.
Those tweaks included changing a lower-case letter to upper case, substituting a number for a letter, such as a “3” for an “e,” or simply adding a couple of letters or numbers to the end of the previous password.
Cranor said the researchers found that if they knew a previous password, they could guess the new one in fewer than five tries. A hacker who had also stolen the hashed password file would be able to guess new ones within three seconds – and that was with 2009 technology.
The UNC study is not the only one reaching that conclusion. Researchers at the School of Computer Science at Carleton University in Ottawa, Canada, in a paper published in March 2015, concluded that security advantages of password expiration policies were, “relatively minor at best, and questionable in light of overall costs,” for the same reason the UNC researchers found.
Sign up for CIO Asia eNewsletters.