Why changing your password regularly may do more harm than good

Most office drones have had to deal with a job that requires them to keep changing their passwords like clockwork, maybe every six months or so. The longstanding IT security practice is based on the idea that flushing out old passwords will cut off access for bad guys who may have figured them out.But according to the Federal Trade Commission’s chief technologist, Lorrie Cranor, the strategy has some major holes.”Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases,” Cranor wrote Wednesday in a blog post entitled “Time to rethink mandatory password changes.”
https://www.washingtonpost.com/news/the-switch/wp/2016/03/02/the-case-against-the-most-annoying-security-measure-virtually-every-workplace-uses/Also see:Time to rethink mandatory password changes
Data security is a process that evolves over time as new threats emerge and new countermeasures are developed. The FTC’s longstanding advice to companies has been to conduct risk assessments, taking into account factors such as the sensitivity of information they collect and the availability of low-cost measures to mitigate risks. The FTC has also advised companies to keep abreast of security research and advice affecting their sector, as that advice may change. What was reasonable in 2006 may not be reasonable in 2016. This blog post provides a case study of why keeping up with security advice is important. It explores some age-old security advice that research suggests may not be providing as much protection as people previously thought.When people hear that I conduct research on making passwords more usable and secure, everyone has a story to tell and questions to ask. People complain about having so many passwords to remember and having to change them all so frequently. Often, they tell me their passwords (please, don’t!) and ask me how strong they are. But my favorite question about passwords is: “How often should people change their passwords?” My answer usually surprises the audience: “Not as often as you might think.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.