海角大神

Do we all really need to keep changing our passwords?

The chief technologist at the FTC says frequent password can actually harm security, but some security administrators are still pushing back. 

For the seventh time this year, the almost automatic process of logging into the work computer is interrupted by a dialogue box reminder. It's time to think of yet another new password.听

It's complicated. It's annoying. And according to Lorrie Faith Cranor, a password researcher and the Federal Trade Commission's (FTC) chief technologist, it is also unnecessary.听

"It became more and more clear that requiring frequent password changes generally wasn鈥檛 helping security and was really annoying users, leading them to less secure behavior," Ms. Cranor tells 海角大神 in a telephone interview.听

This was not her first opposition to password expiration, nor is she the first to question its effectiveness, but coming from someone in her position, it could herald a small shift in password policy.听

"It鈥檚 still in the category of [being] a somewhat radical idea just because so many organizations are still refusing to change,鈥� she says.

Requiring new passwords regularly is a common practice, but not one backed up by security research, Ms. Cranor noted in blog post contributed to the Monitor's Passcode in March.

"Today, unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases," she wrote. "And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren鈥檛 taken to correct security problems."

For at least 15 years, "People听have been saying it, but the people who have been in charge of making password policies for the most part haven鈥檛 been listening," Cranor says.

She 听to her "radical idea" in a keynote for the , ArsTechnica reported.

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'听I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days.' "

FTC security officials wanted back-up research, and she directed them to a 2010 study from the University of North Carolina-Chapel Hill. Researchers from university accounts and tested their strength against common hacking methods. They found that users who were pestered by constant requests for password changes tended to make only slight "transformations," leaving weak passwords weak and susceptible to hacking.听

Although some security professionals have written to Cranor since she began speaking, often with compliments on an idea they have had for years, others were confused about whether they should ever change their password.听

In reality, it is only the requirement to frequently change passwords that these researchers are speaking out against. If a particular password has been shared or somehow compromised, it听must be changed, as the Passcode contributors have written in detail. And if a given organization requires users to share their passwords frequently, then administrators may be wise to ask regularly for an updated password.

The idea has some support internationally, as a study from Carleton University in Ottowa, Canada, found the "relatively minor at best, and questionable in light of overall costs." The information security authority for the British government released a new advisory against it in its 2015 password guidance, in April.

Pushback remains, however. Many organizations have stopped requiring the frequent password changes, but others have rejected the new idea, saying that removing password expiration risks failing a security audit.

"Until there鈥檚 a security standard that says it鈥檚 OK not to change passwords all the time, I think some organizations are not going to be comfortable with it," Cranor says.

[Editor's note:听This article has been updated to correct the name of the University of North Carolina-Chapel Hill.闭鈥�