Okay, all of you IT managers, it’s time we had a talk.
I know you mean well. I know you think you’re helping. But when you demand that your co-workers’ passwords change as frequently as the seasons, you’re not just driving them bonkers, you’re actively making your systems less secure.
Before you write this off as the whining of someone who’s had enough of mixing up his alphanumerics, please know that I’m not asking you to take my word for it. In fact, don’t listen to me at all. Listen to science.
As FTC Chief Technologist---and Carnegie Mellon computer science professor---Lorrie Cranor recently outlined, the weight of recent research agrees that when people are forced to change their passwords on the regular, they don’t put a whole lot of mental muscle behind it. Instead, Cranor notes, according to one UNC study, people “tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Admit, that sounds familiar, even to you IT specialists, right? If not, you are a password hero, worthy of praise and emulation. For the rest of us though, it’s an all too familiar way to survive the regularly scheduled slog. It’s also perfectly understandable, given how our brains work.
“I understand [password security], I care about it, and I still find it really difficult to have to create a new password,” Cranor tells WIRED. “What we’re asking people to do is to come up with something that’s unpredictable. By definition, something that’s new and crazy and unpredictable is going to be hard for me to remember, and maybe even come up with in the first place.”
Still, we shouldn’t not do the right thing just because it’s hard, you might say. Fair enough! Unfortunately, changing passwords every 60 or 90 days isn’t even necessarily the right thing when those passwords are strong, according to recent research out of Carleton University. If we all excelled at switching up our digital deterrents, it wouldn’t actually help all that much.
“Today, attackers who have access to the hashed password file can perform offline attacks and guess large numbers of passwords,” Cranor writes for the FTC. “The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit---probably not enough to offset the inconvenience to users.”
That’s right! Even following the frequent password change protocol correctly doesn’t do a whole lot of good.
So why, despite a mountain of scientific evidence, does this insistence persist? For one thing, Cranor says, it’s not like you IT professionals are necessarily reading every cybersecurity academic paper that comes out. You have lives! Even if you did read every paper, though, Craner says it ends up being a pretty tough sell.
“People have told me, ‘If I were to do something that looks like I was watering down my organization’s security policy,’ people are going to say, ‘Why are you going soft on security here?’” says Cranor. “You never have to explain why you’re making things more secure… Removing that requirement would require a lot of explanation.”
But remember: You’re actually making things more secure! And you’ve got PhDs backing you up.
That doesn't necessarily mean never changing passwords at all. "With a strong password, there is little to be gained having to change it every few months," says password security expert and author of Perfect Passwords Mark Burnett. "Six months to a year will result in a better experience for users and allow for stronger passwords." Just imagine the sanity gained by going a whole year without a single password-change prompt. Think of the morale boost alone!
If for whatever reason you still can’t let go of making people change passwords as often as they turn the pages of their wall calendars, Cranor suggests that you at least encourage them to use a password manager, like LastPass or DashLane. They’re not perfect, but they can be a “very reasonable strategy” for coping, mostly because they don’t require people to balance unpredictable passwords with ones they can actually remember.
For everyone’s sake (including your own), why not make sure everyone’s passwords are strong to start with, and from there, just let them be? Thanks for listening.
This post has been updated with comment from Mark Burnett.
