The debate about whether frequent password changing is a good or a bad practice is raging. OK, maybe just humming along. FTC chief technologist Lorrie Cranor and some other security experts have started saying that the practice may be counterproductive — especially if it encourages poor password selection. To push this debate a little further, let’s examine the issues that are involved. First, what are some of the more basic reasons why we might choose to go for periodic (e.g., every three months) password changes? This practice has some clear advantages and disadvantages. Here is why. Frequent password changes are bad… …if your users are going to pick simple passwords to compensate for the frequent changes — to make their passwords easier to remember. …if your users are going to write their passwords down (especially if they’re writing them in places that are not at all secure). …if your users are going to forget their passwords when they change them, adding dramatically to the number of tickets that your tech support team is going to have to handle. Frequent password changes are good… …if they prevent captured passwords from being used. …if the practice lessens the chance that your users will employ the same password for many different sites (more trouble to keep them in synch). …if being required to change passwords periodically makes it less likely that your users will share their passwords. One important issue to guard against weak passwords is that, no matter how frequently passwords are changed, most systems today provide some way to set complexity requirements that dictate password parameters such as length, mix of characters, re-use of previous passwords, similarity to common words, etc. For example, the practice of swapping certain characters for others that have a similar look — @ for a, 0 for o, etc. and mixing case — is not likely to pass the systems’ password checking routines if that’s all you do. Password complexity requirements are important. On the other hand, the complexity mandates are likely inadequate when it comes to protecting your users’ passwords against the ever increasing cleverness of password guessing and cracking tools. Maybe they won’t let you get away with “P@ssword2” because it’s too similar to a dictionary word, but will they be OK with “NapTime@2PM”? Is that a good password? It used to be. But now? Read on and judge for yourself. As Bruce Schneier (one of my long-time security heroes) has pointed out, the key to thinking about password security and, thus, understanding the debate over frequent password changing, is to grasp the ways in which passwords might be compromised. The end goal, of course, is to keep passwords private. How do you best do that? Today’s automated password cracking tools can generate thousands of password guesses faster than you can say “open sesame.” At the same time, however, most systems are going to shut you out after 5-10 of those guesses can be tried. So maybe one of the bigger dangers here is that other attackers can lock your accounts. Some of these tools make use of dictionaries (rather than using the old brute force method of generating every possible combination of characters for reasonable password lengths). And they’re likely going to apply all the standard substitutions that I mentioned above. But that’s not all! Some modern password cracking tools actually will try word combinations of various kinds. They might string together words like “allyouneedislove” and “I hate my job” (with and without the inserted blanks). Brute force methods — trying every possible combination — are not used very often these days because they’re time-consuming and inefficient. At the same time, the cleverness of the modern password guessing tools goes way beyond the kind of thing we worried about ten or twenty years ago. There are tools that will take a password database — such as your /etc/shadow file — and try to generate usable passwords from the hashes they contain. But they have to get your shadow file. There are also tools that use predigested lookup tables containing words along with their hashes, making it relatively easy to go from hashes to the related passwords if the bad guys can get their hands on your password hashes. And there are tools that use multiple dictionaries or the contents of huge information collections such as Wikipedia to create password guesses that can out-think many of our most inspired password concoctions. Serious passwords these days are long — think 16 characters or more — and have a pattern that is not likely to be guessed even by the cleverest of tools. Something like “ihatemyjob” is not going to stand up very well to automated scrutiny; “ImpaIciIwt@2016” (It’s my party and I’ll cry if I want to at 2016) stands a much better chance. Your own sentence (rather than references to well known songs or phrases) would be even better. Another option is to go with a password that is generated by a tool such as KeePass. If you go this route, however, you are going to end up with passwords that look like “j0MxmoNnEUg9JIflizGU.” You can always grab them from your password safe and paste them into place in when you need them, but that’s time consuming. And, if you go this route, you should only use tools that never store your passwords in plain text in your system’s memory where some variety of spyware might find them. So the answer to the “Should passwords be changed frequently?” debate is pretty much “it depends.” And I’d still say yes. If you use really good passwords, changing them often is an additional protection — but only if you can address the risks. Passwords becoming oversimplified, passwords being written down, and passwords following predictable patterns are going to work against you. Periodic password changing is only a good idea if the practice doesn’t “dumb down” your password selection. In time, passwords are probably going to go away and be replaced by something more effective and resistant to attack. We already have token generators that provide “three factor” authentication (username, password, and token code). These add considerably to the security of user accounts. And some systems (particularly online applications) might require that you also answer some pre-negotiated question or select a photo from a group of photos. While we wait for more attacker-proof authentication schemes to make their appearance on our systems, token generators, truly complex passwords and tricks for remembering passwords in spite of their complexity are about all we have. Related content brandpost Sponsored by Zscaler NYC Department of Education builds the pipeline for future cybersecurity professionals NYC Department of Education's innovative programs empower students through hands-on experience and partnerships in cybersecurity, paving the way for diverse career pathways and long-term success in the digital workforce. By Demond Waters, CISO, and Anthony Dixon, Director of Cybersecurity Engineering at the New York City (NYC) Department of Education (DOE) Oct 21, 2024 10 mins Security brandpost Sponsored by Zscaler Are Your Firewalls and VPNs the Weakest Link in Your Security Stack? In an era when traditional network perimeters no longer exist, it’s time to adopt the Zero Trust mantra, "never trust, always verify.” By Zscaler Oct 21, 2024 9 mins Security brandpost Sponsored by Zscaler 6 key mobile and IoT/OT attack trend findings Zscaler ThreatLabz analysis shows more than 100% growth in spyware, much of which can bypass multifactor authentication, and 45% growth in IoT attacks. By Will Seaton, Viral Gandhi, Yesenia Barajas Oct 18, 2024 6 mins Security news Admins warned to update Palo Alto Networks Expedition tool immediately Six holes in the configuration migration tool could allow theft of cleartext passwords and more. By Howard Solomon Oct 11, 2024 1 min Network Security Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe