Future Tense

Forcing People to Change Their Passwords Isn’t Just Annoying. It’s Counterproductive.



You’ve probably had a digital account that required password changes every few months, whether it was through a job, your school, or another institution. It sucks. It feels like you’re being prompted to do it every other day instead of a few times a year, and it’s hard to keep track of what you changed the password to. It’s annoying, but necessary for maintaining your cybersecurity, right? Well, it turns out that the approach may not even be effective, and the Federal Trade Commission’s chief technologist is pushing back.

Conventional wisdom says that forcing users to change their passwords every few months helps reduce unauthorized access. If someone is abusing old account credentials, they’ll eventually get locked out. But Lorrie Cranor, who studies security usability at Carnegie Mellon University in addition to her role at the FTC, wrote on Wednesday that requiring frequent password changes can degrade users’ password quality. People end up reusing passwords on a loop or making tiny changes to a base password. “I have heard from many users that they include the month (and sometimes year) of the password change in their passwords as an easy way to remember frequently changed passwords,” Cranor writes.

The problem with these types of small tweaks is that a bad actor who knows your old password will be able to easily guess your new password, since it isn’t substantially different. Cranor gives examples of two studies in which researchers showed that frequent password changes don’t significantly hinder attackers. She also notes that password changes don’t necessarily accomplish anything if a system has different or additional cybersecurity flaws that need to be addressed.

Re-examining frequent password changes isn’t a new idea. The National Institute of Standards and Technology talked about the approach’s limitations in a 2009 report. The agency wrote, “Organizations should consider having different policies for password expiration for different types of systems, operating systems, and applications, to reflect their varying security needs and usability requirements.”

It’s refreshing to see a government agency talking about new trends in IT security, instead of scrambling to minimally maintain legacy systems. And given how annoying, even onerous, it is to change your password all the time, it’s exciting to think that better cybersecurity and laziness might finally go hand in hand.

Now, this doesn’t get you out of choosing strong passwords in the first place, changing passwords when you think they may have been compromised, and ideally getting a password manager. But you know the drill by now, right?