We have long stated that the common practice of IT departments forcing their users to regularly change passwords is ineffective and a bad security practice, moreover it stresses-out and confuses users. Other security experts are coming around to this conclusion as well.

In fact, government IT security agencies and regulatory bodies are now advising against the practice of mandating regular password changes. In 2015, the Communications-Electronics Security Group (GESG) – the body which advises the UK government on IT security – explicitly warned against this practice in its Password Guidance. (https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach)

In March 2016, the US Federal Trade Commission (FTC) – the body charged with consumer protection – also advised against the practice. In a blog post entitled “Time to rethink mandatory password changes”, the FTC issued a warning similar to the GESG.

So, why are security experts suddenly warning against regular password changes?

The reason is what we have been saying all along – that regularly changing passwords is ineffective. Now, this actually seems counter-intuitive. After all, regularly changing passwords is supposed to make it harder for attackers to compromise security, right? Wrong!

Regular password changes can actually make it much easier for attackers to gain authorized access to a system or internet account. There are three main reasons for this:

First, studies have shown that when people know that they have to regularly change their passwords, they select weak ones to start with. This is because they don’t want to go through the mental stress of creating a strong password – which they’ll have to change anyway. Generally speaking, weaker passwords are easier to crack.

Secondly, studies have shown that when people change their passwords, they often make alterations to the previous one. Basically, people don’t select passwords which are 100% new every time. They usually edit the old one. They do this so that they can easily remember the password.

This habit means that once an attacker has the old password, they can easily guess the new one. A study carried out at the University of North Carolina at Chapel Hill in 2009 found that once attackers had access to old passwords, they could correctly guess 41% of the new ones in 3 seconds or less. (https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf)

The final reason is that when people select radically different passwords, they are more likely to write them down. They do this in order to make it easier for them to remember the password. Now, one thing which almost every IT security professional agrees with is that writing a password anywhere is a grave security risk.

The bottom line is that forcing regular password changes can actually lead to security vulnerabilities. Does this mean that people should never change their passwords? Of course not. People should only change their passwords when there is clear evidence of a security breach having occurred.

Even then, a password change should be just one aspect of a broader security strategy. Here is a simple illustration. Let’s imagine that an attacker stole the password by installing a keylogger. In such a scenario, changing the password is useless if the keylogger isn’t removed from the system. This is what password change being part of a “broader security strategy” means.

Ultimately, to ensure IT security, administrators need to think about other measures aside from regular password changes. The CESG recommends using system monitoring tools which can alert users about any failed login attempts. This can enable the user to easily identify whether it is they who made the attempt.

The bottom line is that IT departments need to stop telling users to regularly change their passwords. It is bad for security!

If you’re concerned about IT security in your small business, consider Hartland Computer’s Two-Hour Computer Security Review.

Hartland Computer Repair