The reasoning behind this security practice is clear and simple: it limits the timeframe that cyber criminals have to access an account if, for some reason, they were able to obtain the password or a hint and attempt to crack into the account.
The unexpected issue, however, is that after security researchers started analyzing the results of such a password policy, they were surprised to find that instead of making passwords more secure, users leaned towards using variations of the same password.
After analyzing thousands of real-world passwords, researchers at the University of North Carolina at Chapel Hill noticed that users tended to create passwords that followed a certain pattern. This means that if the pattern is identified by a would-be hacker, then the password can easily be guessed. This habit is called “transformation” and refers to the method of adding an incremental number or changing a letter to a similar-looking symbol, adding or deleting a special character, or switching the order of digits or special characters.
While the theoretical gains to personal security are positive, in actuality password aging policies place a burden on users trying to comply with them. A white paper published by researchers at Carleton University quantifies the impact of password expiration policies and the results aren’t what you’d expect.
It is a fact that forced password changes will help to prevent access by unauthorized parties who somehow managed to gain possession of an account password. However, the measure provides little help against a variety of other attacks, such as keylogging software installed on a target computer, phishing scams, or even malware that renders subsequent password changes useless. Password aging policies actually put extra stress on the user, which in most cases ends up resulting in weak passwords as users know that another prompt will appear eventually anyway.
As a result, this password policy does more harm than good because it makes passwords easy to guess, especially with the availability of sophisticated password cracking software. Since computer hardware is constantly getting boosts to performance, password cracking becomes more and more efficient and faster with each passing year, resulting in the need for stronger and more unique passwords for every account.
When Do You Need to Change Your Password?
What all this means is that you should still change your passwords, but not as often as you might think. The debate is still ongoing within the security community but as Yigal Unna, Director General of Israel National Cyber Directorate, joked during a keynote presentation at the Israel Cyber Week, passwords aren’t like underpants: you shouldn’t change them frequently.
Even if you apply good password hygiene, meaning that every account you create has its own unique and cryptographically secure password generated by a password management application or your own recipe, you still need to change the password from time to time.
For example, you should change your password if you think you were the target of a phishing scam or if someone was looking over your shoulder while you were typing in a password. The password should also be changed if you shared it with someone else – even a trusted friend, because you don’t know what kind of security measures they apply. And especially you should change your password if you think it is weak or was stolen.
Password management applications have a neat feature that keeps an eye on data breach reports and they will notify users if a password change is needed due to a data leak. Users will also receive a notification if the password added in the ‘password bucket’ is weak or old, and changing it requires only a few clicks. It’s so easy, it’d be foolish not to use it.
Best Password Managers of 2018