Periodic password changes -- good or bad?

Credit: flickr / Steve Snodgrass

The debate about whether frequent password changing is a good or a bad practice is raging.

OK, maybe just humming along. FTC chief technologist Lorrie Cranor and some other security experts have started saying that the practice may be counterproductive -- especially if it encourages poor password selection. To push this debate a little further, let's examine the issues that are involved.

First, what are some of the more basic reasons why we might choose to go for periodic (e.g., every three months) password changes? This practice has some clear advantages and disadvantages. Here is why.

Frequent password changes are bad...

    • ...if your users are going to pick simple passwords to compensate for the frequent changes -- to make their passwords easier to remember.
go0dbye flickr / woodleywonderworks
    • ...if your users are going to write their passwords down (especially if they're writing them in places that are not at all secure).
bananas flickr / Iain Farrell
    • ...if your users are going to forget their passwords when they change them, adding dramatically to the number of tickets that your tech support team is going to have to handle.
tix flickr / Sam Howzit

Frequent password changes are good...

    • ...if they prevent captured passwords from being used.
no login flickr / Chris Harrison
    • ...if the practice lessens the chance that your users will employ the same password for many different sites (more trouble to keep them in synch).
monitors flickr / Drew Stephens
    • ...if being required to change passwords periodically makes it less likely that your users will share their passwords.
sharing flickr / Hoffnungsschimmer

One important issue to guard against weak passwords is that, no matter how frequently passwords are changed, most systems today provide some way to set complexity requirements that dictate password parameters such as length, mix of characters, re-use of previous passwords, similarity to common words, etc. For example, the practice of swapping certain characters for others that have a similar look -- @ for a, 0 for o, etc. and mixing case -- is not likely to pass the systems' password checking routines if that's all you do.

Password complexity requirements are important. On the other hand, the complexity mandates are likely inadequate when it comes to protecting your users' passwords against the ever increasing cleverness of password guessing and cracking tools. Maybe they won't let you get away with "P@ssword2" because it's too similar to a dictionary word, but will they be OK with "NapTime@2PM"? Is that a good password? It used to be. But now? Read on and judge for yourself.

As Bruce Schneier (one of my long-time security heroes) has pointed out, the key to thinking about password security and, thus, understanding the debate over frequent password changing, is to grasp the ways in which passwords might be compromised. The end goal, of course, is to keep passwords private. How do you best do that?

Today's automated password cracking tools can generate thousands of password guesses faster than you can say "open sesame." At the same time, however, most systems are going to shut you out after 5-10 of those guesses can be tried. So maybe one of the bigger dangers here is that other attackers can lock your accounts.

Some of these tools make use of dictionaries (rather than using the old brute force method of generating every possible combination of characters for reasonable password lengths). And they're likely going to apply all the standard substitutions that I mentioned above.

But that's not all! Some modern password cracking tools actually will try word combinations of various kinds. They might string together words like "allyouneedislove" and "I hate my job" (with and without the inserted blanks).

Brute force methods -- trying every possible combination -- are not used very often these days because they're time-consuming and inefficient. At the same time, the cleverness of the modern password guessing tools goes way beyond the kind of thing we worried about ten or twenty years ago.

There are tools that will take a password database -- such as your /etc/shadow file -- and try to generate usable passwords from the hashes they contain. But they have to get your shadow file.

There are also tools that use predigested lookup tables containing words along with their hashes, making it relatively easy to go from hashes to the related passwords if the bad guys can get their hands on your password hashes.

And there are tools that use multiple dictionaries or the contents of huge information collections such as Wikipedia to create password guesses that can out-think many of our most inspired password concoctions.

Serious passwords these days are long -- think 16 characters or more -- and have a pattern that is not likely to be guessed even by the cleverest of tools. Something like "ihatemyjob" is not going to stand up very well to automated scrutiny; "ImpaIciIwt@2016" (It's my party and I'll cry if I want to at 2016) stands a much better chance. Your own sentence (rather than references to well known songs or phrases) would be even better.

Another option is to go with a password that is generated by a tool such as KeePass. If you go this route, however, you are going to end up with passwords that look like "j0MxmoNnEUg9JIflizGU." You can always grab them from your password safe and paste them into place in when you need them, but that's time consuming. And, if you go this route, you should only use tools that never store your passwords in plain text in your system's memory where some variety of spyware might find them.

So the answer to the "Should passwords be changed frequently?" debate is pretty much "it depends." And I'd still say yes.

If you use really good passwords, changing them often is an additional protection -- but only if you can address the risks. Passwords becoming oversimplified, passwords being written down, and passwords following predictable patterns are going to work against you. Periodic password changing is only a good idea if the practice doesn't "dumb down" your password selection.

In time, passwords are probably going to go away and be replaced by something more effective and resistant to attack. We already have token generators that provide "three factor" authentication (username, password, and token code). These add considerably to the security of user accounts. And some systems (particularly online applications) might require that you also answer some pre-negotiated question or select a photo from a group of photos.

While we wait for more attacker-proof authentication schemes to make their appearance on our systems, token generators, truly complex passwords and tricks for remembering passwords in spite of their complexity are about all we have.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10