When it comes to changing your passwords, just how often is often enough but still not so often that it undermines security? In a recent tweet, Jason Harris brought up the confusing and often conflicting advice of changing passwords. The response doesn’t fit into 140 characters, so we took to our blog to cover the basics.
The short answer is:
BUT
Here’s the deal: for years – since the 90’s, at least – IT departments everywhere set their systems to require a password change every month. The logic behind this was generally two-fold:
Of course, the requirement to change your password included the rules that had to be followed. Back in the day – remember, this was the 90’s, the decade of grunge, fanny packs and mullets – this was typically along the lines of 8 character minimum, include a least one uppercase letter, at least one lowercase letter, and a digit (0-9) and/or a punctuation point – and you’re not allowed to reuse a password within a 12 month window.
What an awesome plan!
Actually, it’s not such a bad idea, but the result ends up being like so many of the best laid plans of mice and men…
The problem – discovered after these past couple of decades – isn’t a technology problem. As often happens, it’s a problem of human nature. A recent study by KoreLogic shows that the requirements to change our passwords in this way results in people defaulting to patterns. And the patterns are known to bad guys who can then exploit then for personal gain and profit.
To see how this works, we’ll start by pointing out that humans are amazing creatures that will do anything to make things easy for themselves. This drives innovation (e.g. the wheel!), but it also leads to bad habits – at least as far as password security is concerned.
Given the password rules given above, let’s say you entered password August1! as your password at the beginning of the month. It’s easy to remember and it meets all the rules – high five to you! But, within that one password, we see several patterns at play:
All of a sudden, instead of having 1.67 x 10^15 possibilities of truly random variables for those 8 spaces, we’ve undercut corporate security by a factor of 6 down to 1.36 x 10^9. In today’s computing terms that’s a huge difference for a hacker: hours instead of weeks or months. And that’s not even going into dictionary attacks for variations of August!
The problem is that bad guys have figured out that lots of people fall into these patterns. As the study revealed so nicely, the number of people falling into identifiable patterns with their passwords is high enough that the bad guys basically don’t even have to try to crack the hard passwords.
THAT’s the problem with changing passwords frequently.
The problem we’re faced with in the media now is that this has been oversimplified to don’t change passwords.
The point is to change to a strong password. A password generator like the one built-in to Sticky Password is great for creating strong passwords and storing them for you, too!