October 25, 2016
Changing your password might not be providing as much security as experts thought. Hackers are regularly trying to access your company’s data to get financial information and for identity theft. Requiring your employees to have strong passwords makes it difficult for hackers to get at your accounts. But how often you require them to change might actually be hurting your security.
The evidence suggests it is time to rethink mandatory password changes.
Avoid a Change that is Less Secure.
Changing passwords frequently could be making your system less secure. There is a lot of evidence that suggests people who change passwords on a frequent basis, such as every three to six months, choose weaker passwords. The problem is that, according to FTC Chief Technologist and Carnegie Mellon computer science professor Lorrie Cranor (article), when people have to change their password frequently they become predictable. It’s like clockwork. They don’t put a lot of mental thought into it. Instead, their transformations may be simple and methodical. They might increase a number. They might change a letter to a symbol that looks similar, such as changing an S to a $. They might add or delete a special character. Or they might switch the order of digits or special characters, such as moving the numbers to the beginning instead of the end.
If this sounds like what you do, you are not alone. You want a password that you can remember. However, since hackers are able to guess your predictable ways, you could actually be making it less secure. Today, hackers who have access to the hashed password file can use offline attacks or guess large numbers of passwords. Depending on the system’s policies, they will continue to guess every possible combination until they get access. And at some point, if they don’t get access they might start the process over. So how will frequent changes deter them?
Choose Strength Over Frequency.
If the password is strong to begin with, some experts wonder why we should have to change it every 60 to 90 days. Your purpose should be about getting the strongest passwords instead of worrying about the time between changing them. By waiting longer periods before requiring changes, people are not as frustrated with the continuum of change and are more likely to think about stronger passwords.
There are still good reasons to change passwords. According to the Federal Trade Commission, a company should do their own assessment of their security and determine if there is a need to change passwords and how frequently. Mandated password changes should continue to be a security practice designed to periodically lock out unauthorized users who have learned users’ passwords. If you have reason to suspect someone has gotten passwords from your employees, such as with the recent Yahoo hack, change them immediately. If you think your employees have weak passwords, then have them change it.
Assess the need and emphasize strength. Consider changing your password policy that encourages stronger passwords, longer lengths, limited login attempts and multi-factor authentication, especially if your organization maintains sensitive data.
Also realize that if a hacker has gotten a password they are often able to guess a change fairly easily, especially if it is predictable. And if they have already been able to access a user’s account, they may still gain access through software that spies on the user, through a key logger, or through another malware that they may have installed. Therefore, you will need to look closely at your security.
Boost IT can help you assess your security and improve your employee’s password strength. For more information, contact us at 404-865-1289 or firstname.lastname@example.org.