The Federal Trade Commission’s chief technologist says that the conventional wisdom of changing passwords frequently to bolster cybersecurity is a fallacy.
Lorrie Cranor, a former professor, contends that altering passwords frequently can be counterproductive because it often encourages the creation of passwords that are equally, if not more, vulnerable. (RELATED: Zuckerberg HACKED, Password Literally Consisted Of Two Letters)
Cranor points to a 2010 study published by the University of North Carolina. Researchers conducted the study by first acquiring the “password hashes” — which are just scrambled characters — to 10,000 expired accounts of university members, according to Ars Technica.
After studying the alterations made from the expired account passwords to the new ones, researchers discovered that only minimal changes were made. For example, “tarheels#1” was changed to “tarheels#11” or “tArheels#1” signifying a tendency to either only add one character or to capitalize an already used character.
“The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor explained to Ars Technica. “They take their old passwords they change it in some small way, and they come up with a new password.”
The pattern was so decipherable by the UNC researchers, they were able to predict the new passwords with impressive preciseness. “We develop a framework by which an attacker can search for a user’s new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy,” the study’s abstract reads.
The researchers conclude that the widely practiced method of “password expiration” where a user changes their password regularly can be damaging. “The effectiveness of expiration in meeting its intended goal is weak” the researchers concluded. “We believe our study calls into question the continued use of expiration and, in the longer term, provides one more piece of evidence to facilitate a move away from passwords altogether.”
“I’m happy to report that for two of my six government passwords, I don’t have to change them anymore,” Cranor told Ars Technica. “We’re still working on the rest.”
Send tips to firstname.lastname@example.org.
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact email@example.com.