Frequent Password Changes Could be the Enemy of Actual Security

Frequent Password Changes Could be the Enemy of Actual Security

I am sick nearly unto death with the endless need for more and better passwords. And how websites always have some nonsensical scheme I have to abide by to “make them more secure.”  Yet we don’t actually do what has proven to be of more value security wise with our passwords – it is not all the crazy characters, 8 characters, at least on number and one capital letter. Actual strong passwords are derived from strong entropy considerations – not just from spelling it as p4$$w0rD or deciding no one will ever think of the word avocado. The minimal required bits to get through the darn form are of no concern and we just put typically put what we’ve always put whenever possible.

I’ve always LOVED xkcd from the first moment I read the first comic panel. They have a great visual explanation of what makes a strong password and why:

One of the more recent developments has been the DICE method of determining passwords. It works in much the same way but gives you your words from random lists. And with the advances in password cracking your password should contain, as of this writing, 6 unique words.  I do this for everything that needs actual security – and I’ll often add in capital letters just for a few more easy entropy bits.

For low impact concerns I have a mutation based password method that I use. It has a permutation pattern that I can apply quickly and easily. But, I know it is not ACTUALLY a secure password. However, it is typically enough for the quick drive by password attempts – at least it isn’t drowssap1. And with the mutations I don’t use the same password repeatedly as a result so if one platform is compromised – it doesn’t put my bank accounts at risk.

There was an interesting article today on Arstechnica regarding passwords, and the policies we enact in the attempt to be more secure – such as 60 or 90 day mandatory password resets.

Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking.

It was very interesting to see that it is the opinion of some within the FTC that frequent password changes are actually the enemy of security! And there are studies that show frequent password changes minimally change the chance of a password being cracked, and actually are counter productive.

Of course the worst part with all the mandatory passwords is that most people are unable to remember the nonsense, and they put themselves at risk and destroy all security by writing out their passwords on post it notes or tape them under the keyboard or in a drawer.

Do yourself a favor and at least update your secure passwords to something you can remember without having to write it out.


  • comment-avatar

    This is an interesting read. I do believe that there is a misconception that changing a person’s password every 30,60, or 90 will improve security. While changing, the password isn’t effective if the passwords are not strong or as the authors states containing more entropy bits. I know friends who are older and use the same basic password for all their accounts. It will either be the name of their children, birthdays, or address they live on. For them, changing passwords frequently with the same level of entropy bits will not improve their security. Any person who is close to them or anyone with reasonable expertise in looking at Facebook profiles have a good chance of guessing their password. That is another area that needs to be focused with security and a person’s passwords. A person could think that no one will guess their password because it’s their specific model car, for example Aventador. However, if a person keeps their Facebook open and not private with pictures of their car it’s another way to be hacked and have their password guessed. Password security comes in all forms of privacy improvement while online. It is important to have a password that does not relate to personal life but also something that can be remembered easily. The article brings a good perspective about passwords and how we can improve them.

  • DISQUS: 2