FTC Speaks Against Mandatory Password Changes

Shutterstock

While requiring users to update their passwords has been a longstanding data security practice, FTC Chief Technologist Lorrie Cranor suggests that new research shows the process may possibly do more harm than good.

In a blog post last week, Cranor made the case for companies evolving their security practices when it comes to mandatory password changes as new threats evolve and novel countermeasures are created.

“What was reasonable in 2006 may not be reasonable in 2016. This blog post provides a case study of why keeping up with security advice is important. It explores some age-old security advice that research suggests may not be providing as much protection as people previously thought,” she explained.

According to Cranor, there is a great deal of research that supports that when people are forced to make password updates, they typically select weaker passwords and also tend to change them in a predictive manner — making it even easier for hackers to guess the new password.

“Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” Cranor said, adding that changing the password after it is compromised could still be ineffective if additional steps aren’t taken to address security problems.

The blog post points to two recent peer-reviewed research papers that examine the issue of mandatory password changes essentially being counterproductive. In one of those papers, “The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis,” researchers at the University of North Carolina at Chapel Hill discovered that hackers have a greater chance of being able to crack a user’s password each time it’s changed once they know that the user is following a predictable pattern when changing the password.

The love-hate relationship users have with passwords is nothing new. Many see them as a necessary evil — instrumental in keeping data and sensitive information secure but a headache to manage and keep safe themselves. With the rise of biometrics and other security technologies, companies are turning to options that bypass the use of passwords altogether. If passwords do indeed reach their ultimate death, the issue of mandatory updates will surely die with them.

For more on the news and trends in today’s digital identity space, download the PYMNTS’ Digital Identity Tracker.