According to the Federal Trade Commission’s Chief Technologist, forcing users to frequently change their password can be counterproductive when it comes to fighting data breaches. Mind you, it’s not the frequency itself that leads to security weaknesses.
Rather, it’s what happens at the weakest link in most security systems — individual behavior — that leads to such a situation.
Research in 2010 Backs Her Up
What prompted the FTC’s Chief Technologist (and former Carnegie Mellon University professor), Ms. Lorrie Cranor, to speak out about the possibly self-defeating security practice? Apparently, she saw the FTC’s social media arm tweet: “Encourage your loved ones to change passwords often, making them long, strong, and unique.” Since the FTC requires employees to change their passwords every 60 days, they assumed it was a good security practice for all.
And many people would agree. After all, there is nothing wrong with frequent password changes except that most people tend not to follow the advice to the end. As a 2010 research results show, when people were forced to create “new” passwords, they made small tweaks to the old ones; this is not quite what’s expected when creating “unique” passwords. These small tweaks, called “transformations” in data security circles, turned out to be easily predictable:
…the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds. (arstechnica.com)
And while Cranor at the FTC noted:
“The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor explained. “They take their old passwords, they change it in some small way, and they come up with a new password.”
It seems to me that that’s not quite it. The research (PDF) actually does not have a control – that is, the only data set is for people who were forced to change their passwords every 90 days. How does it compare to people who are not forced to change their passwords so frequently? For example, does the same pattern hold for people who are forced to change their passwords every 180 days or 365 days? How about people who are not forced to change their passwords but still do so out of their own accord?
My own unscientific view is that the 2010 research’s conclusions would apply quite broadly to the global population at large, regardless of how often (or not) people are forced to change their passwords.
Not Quite the End of Passwords
The researchers concluded that frequent password changes don’t really add to overall security, and may not be worth it when you consider how often the end users are inconvenienced. But, never changing passwords is not exactly a viable security practice either.
This is just an additional reason why using passwords as the sole form of securing or accessing data is increasingly viewed as ineffective and potentially dangerous. The numerous data breaches the world has experienced over the past decade certainly makes an effective case for abandoning it.
At the same time, replacements for passwords don’t quite live up to their theoretical potential. Biometrics were supposed to bring an era of unprecedented convenience and security, since one’s fingerprint and iris is specific to the individual and highly portable (you always, hopefully, carry your fingers and eyes with you). Thumbprint and eye scanners, then, would provide better security because, unlike passwords, they couldn’t be filched, guessed at using data sets, or brute-forced. Plus, IT personnel would never have to deal with resetting passwords and performing the accompanying due diligence.
However, it turned out that biometrics can be counterfeited using photocopies, 3D printing, ballistic gels, and other methods. Furthermore, they also created false results, denying access to legitimate users, prompting ridiculous questions such as “how does one ‘correct’ his fingerprint?” if a scanner repeatedly refuses to correctly identify a person.
Plus, there are the legal complications in that, unlike a password, physical features are not given protection from government search and seizure laws. For example, courts can order people to unlock their smartphones by placing their fingers over a biometric sensor. However, the courts cannot force a person to spit out a password.
Increasingly, it looks like the answer is not what to do with passwords, but what else to use in addition to passwords.