Regular and required password changes are the key to sound password security, right?
Not necessarily, says InfoSec writer Taylor Armerding in a recent CSO Online article.
As Armerding writes, conventional password wisdom was challenged when FTC Chief Technologist Lorrie Cranor declared it was “time to rethink mandatory password changes.” From Cranor’s perspective, changing passwords frequently could do more harm than good because users who are required to change their passwords change them in subtle ways that are easily predictable.
Armerding also cites recent research from the University of North Carolina that seems to support his notion. After analyzing passwords from more than 10,000 defunct accounts of former students, faculty and staff, researchers found it significantly easier to crack new passwords once they’d cracked an older one. If they knew a previous password, researchers were able to successfully guess the newer one in fewer than five tries!
Who or what is to blame? Armerding turned to MediaPro’s own Tom Pendergast:
“Current policies set the bar far too low for complexity in passwords and don’t require multi-factor authentication, acknowledged as the best commonly-available solution,” Dr. Pendergast told Armerding.
“There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules. A surprising number of companies don’t use these basic password reinforcement functions.”
As InfoSec research consistently shows, the human element remains a popular in-road for cybercriminals seeking valuable personal data. Sturdy password security protocols should be just the beginning of a fully-featured employee security awareness program.