Page 80 - Cyber Warnings
P. 80
The Myth Behind Frequent Password Changes
Are they good practice or counterproductive?
By Sarosh Petkar, BS/MS Student, Computing Security - RIT
INTRODUCTION
Mandatory password changes are an age-old security practice within numerous organizations.
This practice is described as a mechanism to lock out unauthorized users who may have
managed to social engineer the user’s password. Most office employees have to deal with this,
as their office system administrators keep sending annoying reminders to keep changing
passwords periodically. Is this a requirement or practice that has been so ingrained that its
acceptance is no long questioned?
As per widespread opinion, periodic password changes are theoretically a good idea as they
ensure the security of a user’s password. This opinion is based on the belief system that
constantly changing passwords would prove to be a herculean task for nefarious actors to figure
them out. But in reality these regular passwords changes tend to be an inconvenience to users,
and at the same time alters user behavior to choose weak passwords, as they know they will
have to change it in few months time.
BACKGROUND
A recent University of North Carolina (UNC) research, outlined by FTC Chief Technologist Lorrie
Cranor agrees that doing periodic password changes can be counterproductive, as it
encourages poor password selection by the users. The study suggests that when people are
forced to change their passwords periodically, they tend not to put much thought behind it.
Users are inclined to choose passwords that are simple to compensate for the frequent changes
required of them.
According to the UNC study, people have a habit of choosing passwords that follow a
predictable pattern, which is technically called ‘transformations.’ These transformations are
characterized as the addition of a number, deletion of a special character or switching the order
of the numbers. These researchers obtained cryptographic hashes (of all passwords) to around
10,000 expired accounts whose users had been required to change their passwords every
trimester.
By studying the data, the researchers identified common techniques that users deploy when
changing their passwords. For instance, a password like mrcoolguy@1 (without the quotations)
after alteration ended up being Mrcoolguy@1 on the second change and so on. Further, it may
80 Cyber Warnings E-Magazine – April 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
