Every few months or so, many of us get a dreaded email, urging us to change our account passwords lest we be locked out of our accounts. Unfortunately, this longstanding security advice might not make you any more secure, according to Lorrie Cranor, the Federal Trade Commission's Chief Technologist.
Cranor's blog post on the subject points to two studies that show changing your passwords maybe actually be "counterproductive." She explained that most systems scramble your passwords using a function called a hash - that makes it harder for hackers to find the actual passwords and gain access to your accounts. When you type your password to log in, it is put into the hash; if this hash-scrambled version of your password matches the scrambled version that is on file, the system will let you in. Unfortunately, people with malicious intent can steal the hashed password file and use another computer with password cracking tools that allows them to guess the correct, non-scrambled passwords.
Researchers at the University of North Carolina, Chapel Hill used these tools to test just how easy it would be to guess the passwords of 10,000 defunct accounts. Because users at the university must change their password every three months, each account had a record of four to fifteen of its previous passwords.
After several months, the researchers had cracked 60 percent of the 51,141 passwords, even with the hash system. They found that just knowing an account's previous password allowed them to guess the next password of 17 percent of the accounts in five tries or fewer. That’s because most people only slightly change their former password when prompted to make it easier to remember.
Cranor cites another study done by Carleton University researchers that showed that hacker’s aren’t really slowed down by making users change their passwords, and end up inconveniencing users unnecessarily; their takeaway was that it’s really up to system administrators to make sure their systems are more secure.
Cranor suggests that passwords should only be changed if you have reason to believe you have been hacked or your password has been stolen. Pay attention to the retailers who say payment and account information has been compromised (as we saw with Target in 2014), because if you have shopped there, your info could be at risk.
It’s also best if you make your password as strong as possible, and set up two-factor authentication for all of your accounts.
[Password Change Calendar via Markus Gann/Shutterstock]