Tech Made Simple

Hot Topics: How to Fix Bluetooth Pairing Problems | Complete Guide to Facebook Privacy | How to Block Spam Calls | Snapchat Symbol Meaning

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Mandatory Password Changes Don't Make You More Secure

by Chelsey B. Coombs on March 03, 2016

Mandatory Password Changes

Every few months or so, many of us get a dreaded email, urging us to change our account passwords lest we be locked out of our accounts. Unfortunately, this longstanding security advice might not make you any more secure, according to Lorrie Cranor, the Federal Trade Commission's Chief Technologist.

Cranor's blog post on the subject points to two studies that show changing your passwords maybe actually be "counterproductive." She explained that most systems scramble your passwords using a function called a hash - that makes it harder for hackers to find the actual passwords and gain access to your accounts. When you type your password to log in, it is put into the hash; if this hash-scrambled version of your password matches the scrambled version that is on file, the system will let you in. Unfortunately, people with malicious intent can steal the hashed password file and use another computer with password cracking tools that allows them to guess the correct, non-scrambled passwords.

Researchers at the University of North Carolina, Chapel Hill used these tools to test just how easy it would be to guess the passwords of 10,000 defunct accounts. Because users at the university must change their password every three months, each account had a record of four to fifteen of its previous passwords.

After several months, the researchers had cracked 60 percent of the 51,141 passwords, even with the hash system. They found that just knowing an account's previous password allowed them to guess the next password of 17 percent of the accounts in five tries or fewer. That’s because most people only slightly change their former password when prompted to make it easier to remember.

Cranor cites another study done by Carleton University researchers that showed that hacker’s aren’t really slowed down by making users change their passwords, and end up inconveniencing users unnecessarily; their takeaway was that it’s really up to system administrators to make sure their systems are more secure.

Cranor suggests that passwords should only be changed if you have reason to believe you have been hacked or your password has been stolen. Pay attention to the retailers who say payment and account information has been compromised (as we saw with Target in 2014), because if you have shopped there, your info could be at risk.

It’s also best if you make your password as strong as possible, and set up two-factor authentication for all of your accounts.

[Password Change Calendar via Markus Gann/Shutterstock]


Computers and Software, News, Blog, Privacy

Discussion loading

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.