Why You Don't Need to Change Passwords So Often
Updated: Nov 1, 2019
eWEEK SECURITY ANALYSIS: New research reveals that mandatory periodic password changes will make your enterprise less secure than simply leaving them alone.
The audience at the recent NetEvents conference in San Jose snapped to alertness when Ted Ross, CEO of Spycloud, told them to stop changing their passwords so often. In fact, Ross said, passwords should be left alone unless you know that they’ve been breached. The reason, he explained, is because people tend to pick passwords that are easy to remember, which means that they are easy to guess.
In a subsequent interview, Ross said that people tend to use variants of the same old password when asked to think up a new one. “What we’ve found is that there are so many passwords out there that all the criminals need is to find an old password,” Ross said. “People change their passwords to something that’s already been exposed.”
What this means is that your old password is likely already available on the dark web and can be used as a starting point for testing variants. If there are multiple passwords on the dark web, then hackers can see patterns in how you change passwords, which simplifies their work considerably. The more times you change a password, he explained, the greater the chance that one or more of those old passwords will be found out.
This is exacerbated by the number of sites for which you need to have passwords. “The average user has over 200 sites to log into,” Ross said. “Nobody can remember 200 passwords.”
This is also what happened when people are asked to change their passwords on a regular basis, such as every 90 days. “Decades ago we were concerned about a criminal trying to log in to your account,” Ross explained. “If they were smart enough to stay under your brute force level, they could keep trying.”
The brute force level refers to the number of tries you can get before your access to a site is blocked. Most sites have a number of at least three to allow for ham-handed typists. Some allow more tries, and some don’t have limits on failed password tries.
Depending on the complexity of a given password, the ease in cracking it varies significantly. A good attacker with the right software can crack a password that’s short and uses existing words in a few minutes. A password that’s 99 characters long and consists entirely of random characters can require more time than the expected age of the universe. But if you’re reusing the same password with minor variations, then cracking it can be much faster and easier. Once the attacker knows specific strings of characters that are usually in your passwords, he can tell his software where to start.
The obvious answer to dealing with this many complex passwords is to use a password manager. A good manager will work with every platform in use in your organization, including Windows and Macintosh computers and Apple and Android phones and tablets. It should be able to share passwords among your devices, and it should be able to generate complex passwords and save them to the sites where you need them.
And, of course, there’s more. The password manager should be able to check your password against the list of millions of exposed passwords on the dark web, and it should accommodate limits to passwords on some sites that only allow a specific number of characters, or that restrict the complexity of passwords by banning special characters or numbers.
Ross noted that SpyCloud maintains a database of exposed passwords that are updated in near real time, so passwords can be checked there before they’re changed. He also noted that two password managers, Dashlane and Keeper automatically check passwords against the SpyCloud database.
It’s important to note that there are steps beyond passwords that will help secure your access to a site. The most common is to use two-factor authentication so that even if someone trying to access a site has your password, they must also pass another authentication test that goes outside of the internet connection.
By now you’ve seen the type of two-factor authentication that uses a text message sent to your mobile device. While this is better than nothing, this type of 2FA can be breached. A better type uses an authentication app on your phone, or a physical device such as a smartcard or USB security key.
Biometrics are also an important means of security access, but these depend on a hardware device that may be difficult to deploy in the enterprise, with the exception of devices with the capability built in, such as Apple’s Face ID or one of the several fingerprint readers on Android devices. While it’s possible to fool facial or fingerprint readers, it takes significant resources to pull it off, which means that the attacker probably has nation-state backing, which is outside the realm of most security access issues.
“It’s a probability exercise,” Ross explains. The goal is to reduce the probability that an attacker can figure out your password and access your account.