Frequent password changes are not good idea, as they annoy users who create less secure passwords.
Opening B-Sides Las Vegas, Lorrie Cranor, chief technologist at the Federal Trade Commission and Professor in the School of Computer Science and the Engineering and Public Policy Department at Carnegie Mellon University, followed up a blog post about how password changes are “not necessarily a good idea”.
She said: “You don’t need to change your password every day. I talked to the FTC’s CIO and CISO and said ‘why do you make us change passwords every 60 days’, and I said that there is research and data that shows that is not necessarily improving security. So they said show us the research as we cannot change policy without research to back it up, so gathered it and they found it convincing and I don’t need to change two of my six government passwords anymore.”
Citing student research about pattern and perceived password strength, Cranor said that common tactics were to switch lower case characters for upper case characters, adding numbers, exclamation points and following a keyboard pattern.
“When you change it regularly, you don’t put much effort into making a strong password in the first place,” she said. “At Carnegie Mellon we did a survey after changing a password and asked how annoyed they were, and those who were really annoyed had the weakest passwords!”
She showed examples of which was deemed to be the most secure password, one of which was “brooklyn16” vs “brooklynqy” and revealed that the latter was 300,000 times more secure as it avoids common names and phrases. Cranor closed her talk by revealing that Carnegie Mellon University is working on an open source meter that will provide feedback to users on the strength of their password, and details will be revealed in the coming year.