Common computer wisdom recommends changing your passwords to various accounts frequently. Your office or college requires you to change your email password what seems like every 25 minutes, and every time it seems harder to figure out a new alternative.
— FTC (@FTC) January 27, 2016
But there’s a reason not to bother. Lorrie Cranor, the FTC’s chief technologist (how’s that for an awesome title?) says it’s probably not worth the trouble. In fact, she says, it may actually make it easier for hackers to break in.
And she’s not just saying it, either. Cranor’s got data from a few studies to back her up.
The logic behind changing your password frequently is based around a scenario where a hacker has somehow gotten into the system. In this case, changing passwords every three months or so would stop the hackers from having continued access to your account.
But there are a few problems with that logic before we even get to the changing passwords part. According to a study at UNC Chapel Hill, if a hacker gets access to your account, it’s entirely possible that they may do all of the damage they want to do right away by posting something incriminating or drastically changing your account. And as Cranor points out in a blog post, there’s also the scary possibility that the hacker might apply a key logger or other malware that allows them continued access to your account, even if you change the password.
But let’s assume for a minute that the hacker doesn’t do either of those two things, and just wants to hang on to their account access for as long as possible. There are still a lot of problems with how people tend to change their passwords when they are required to do so.
The real problem is that most people don’t bother to make their passwords unique. Instead, the study found that most people tend to change their passwords using something called transformations, which essentially means modifying an old password slightly, but not changing it completely. You know – turning MyfavoriteColor97! into MyfavoriteColor98!. We’ve all done it. The most common transformations include adding one to any numbers in the password, changing letters to special symbols, adding or removing special symbols that may already be in the password, or switching the order of numbers and special symbols if they appear together in a password. All of these changes either do not change the content of a password, or change it very logically.
Changes like this spare the users forgetting an entirely new password, or writing it down and risking someone else finding it. But the problem is that if a hacker knows your old password, and you change it only slightly, it’s very easy to figure out what your new password is. And that’s not even taking into account the fact that hackers often use electronic aids. Researchers found that in 17% of the (old, unused) university accounts that they studied, similar passwords allowed hackers to guess the current password based on knowledge of a past password.
If hackers are allowed to use an offline approach to cracking passwords (which allows them to take more guesses) they can guess the password of 41% of the accounts with related passwords within three seconds.
Yeah. Three seconds.
Another study at Carleton University showed statistically that changing passwords frequently just barely hinders attackers. But it causes much more inconvenience to the user, and to the database when users inevitably forget and request or change passwords. The study showed that changes by the system administrators to the hash — the pattern that the computer uses to scramble and then recognize passwords after they are entered — are actually more effective in preventing hackers, since one way that hackers can get in is stealing information about the hash.
So then when should you change your password, according to Cranor?
Change it when you believe that it has been hacked, or when you have to give it to someone, or even if you realize that it wasn’t very secure in the first place. Just be sure to change it to something unique.