A computer science professor from Carnegie Mellon, Lorrie Cranor, conducted extensive research which found that little emphasis was put into securing frequently changed passwords.
In other words, the study found that predictable-pattern passwords were created which were similar to the previous passwords. For example, lower-case letters may be changed to uppercase letters, 0s may be changed to O’s, and an S may be changed to a $ etcetera. These minor changes were ineffective adjustments for security enhancement purposes.
Familiar Patterns of Password Adjustments Easy for Hackers to Detect
People familiar with password security realize that they should be created with as much randomness and variability as possible. The alphanumeric characters should preferably be 12+ characters in length with a mix of uppercase/lowercase letters, numbers, symbols and so forth. References to names, dates of birth, and pets should be avoided. Passwords should be unpredictable, and that means they have to be extremely difficult for a user to remember. For this reason, most people create passwords that are easy to remember and predictable.
Password generators are useful tools at randomizing passwords, and can be used in conjunction with the best password manager for maximum effectiveness, like Dashlane.
This begs the question: Is it the right thing to do to change passwords every two months or three months?
According to experts like Cranor, this is ill-advised when the password protection is strong. Experts believe that hackers can access hashed password files and are able to conjure up large numbers of possible password variations. Research further shows that these off-line attacks only act as a minor deterrent to cyber attackers. The inconvenience to users is far greater than the security enhancements provided by the password change.
Does That Mean That Users Should Never Change Passwords at all?
The short and sweet of it is that passwords should only be changed if they are compromised by a security breach.
Strong passwords are secure and don’t need to be changed every two months or three. Rather, passwords should be changed every six months to one year for maximum effectiveness. Rather than requiring frequent updates, IT security consultants should be pushing the narrative of strong passwords from the get-go to prevent constant updates.
Typically, a new password that meets the minimum security requirements would be effective if it were changed every couple of months. Unfortunately, these frequently mandated changes result in only minor changes to the overall strength of the password, with the inclusion of a letter or symbol.
Practical Ways to Boost IT Security
Of course, when security at a company has been breached, it is standard protocol to change all passwords. According to the Federal Trade Commission, the standard operating procedure in 2006 simply doesn’t apply in 2016 and beyond.
A study conducted in 2009 by the University of North Carolina at Chapel Hill found that of the 10,000 defunct accounts used by students (with password changes every three months) there were predictable patterns made to password adjustments all the time.
These transformations included the adding of another digit or a similar character. These transformations were ineffective and allowed hackers to easily guess the new password. Changes to passwords should only be made if there is a reason to believe that there is a data breach or a device has gone missing. Then, a password change should be made across the spectrum for all accounts. In all instances, risk/reward should be evaluated, as well as other ways to enhance overall security such as antivirus software, password managers and commonsense tips such as logging off your PC when you’re away from your workstation.