Changing your password frequently might actually be less secure

Changing your password frequently might actually be less secure

Ever since there have been computers in offices we’ve always been told to change our passwords on a regular basis. usually 60 days. This was done in the name of security. We were told that this practice will keep out the bad guys. It’s been this way for decades and the practice has been treated as gospel however, it may just be superstition.

Carnegie Mellon University professor Lorrie Cranor, who is also chief technologist at the Federal Trade Commission, says that requiring employees to change their password every 60 days makes systems even more vulnerable. Research indicates that people who are made to frequently change their passwords only change them in incremental amounts. If a bad actor was able to come into possession of someone’s old passwords, they may be able to determine the current password due to the patterns in the old passwords.

A password like “tarheels#1”, for instance (excluding the quotation marks) frequently became “tArheels#1” after the first change, “taRheels#1” on the second change and so on. Or it might be changed to “tarheels#11” on the first change and “tarheels#111” on the second. Another common technique was to substitute a digit to make it “tarheels#2”, “tarheels#3”, and so on.

This can also lead to people writing down their passwords on post-it notes that are stuck under their keyboards.

Instead of passwords companies may want to look to biometrics, such as fingerprint readers, to secure their systems. While it’s not completely unhackable it is exponentially more secure than passwords.