Changing Passwords Regularly is Doing More Harm Than Good

How often do you change your passwords?

Every month? Every year? When you are forced to? Or just when you forget it?

If you’re like most people, it will likely be one of the last two options.

Passwords are an inconvenience; just one more thing to remember on top of everything else. So when you do need to change them, what do you do? You add a number to the end of your current password. T34m1R0nMan becomes T34m1R0nMan1, then T34m1R0nMan2, and so on and so on and so on.

Or (if you have a really horrible IT administrator) your new password is not allowed to contain any characters from your old password, so you need to come up with a new one each time…each one easier to remember (and probably easier to guess) than the last one.

Now, what would you say if I told you that I have a list which contains your password? Don’t believe me? If your password is based on a name, a sports team, a dictionary word, a film name, celebrity name, I have it.

It has a number at the end? No problem. The tool I would use to hack your account would try any combination of that list, and any numbers and symbols that I tell it to. You substituted numbers or symbols for some of the letters? Sorry – it does that too.

Two things make it difficult (or impossible) for my tool to crack or guess your password:

  1. Account lockouts. If your account, whether Gmail or Facebook or Windows logon, is set to lock after a few unsuccessful login attempts, I would need to have a very good idea what your password is or I wouldn’t stand a chance. You can’t always rely on this though, there are some sneaky ways round it. So point 2 is your best option….

  2. Have a really long password. It doesn’t have to be complex – it’s the character count that matters. If you want to get into the ins and outs of why password length is more important than complex have a read of this, but basically “D0g…………………” would take 95 times longer to guess than “PrXyc.N(n4k77#L!eVdAfp9” because of the extra character.

So how do we reconcile having to change your password every 30 days with the requirement of having a really long (and potentially hard to remember) password?

Easy, we look for guidance from CESG (Communications Electronics Security Group).

CESG is basically a part of GCHQ which provides advice on Information security to the public sector.  And they know their stuff.

In April, they released this document. The important quote from it is below.

“CESG now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.”

So an organisation, tasked with keeping the country’s critical infrastructure safe from cyber attacks, is telling us that forced expiration of passwords is actually not helpful. 

Things won’t change overnight in the business world.  Because of standards like PCI, you will still need to change your password frequently. But eventually this advice will filter through and you will no longer have that dreaded day every month when Windows forces you to change that password which you’ve only just started to remember…

Besides, some of the newest laptops have a feature where you don’t need a password at all.  Here’s our Chief Technology Officer Paul Burns demonstrating Windows Hello on the Surface Pro 4: