Why “It’s Time to Change Your Password” May Be a Bad Idea
In the fall of 2014, a North Korean-backed hacker group called the “Guardians of Peace” released a treasure trove of data stolen from Sony Pictures. The hack was designed to pressure the movie studio into not releasing a movie titled “The Interview,” a comedy about a hypothetical plot to assassinate North Korean leader Kim Jong-un. The embarrassment from the hack was extensive — at least one Sony executive lost her job over revelations from the emails that the hackers obtained, and Sony spent millions in over the subsequent months to address the fallout.
And of course, the Sony hack wasn’t the only cybersecurity then or since. According to a 2022 report by IBM, the average cost of a data breach in the United States is more than $9 million. and most companies — 83% of those surveyed — believe that some sort of data breach is a question when, not if. Suffice it to say that cybersecurity is a major concern for businesses small and large.
To protect against hacks, many companies require employees to change their passwords often — some as frequently as every two weeks. It’s common sense, right? If a bad guy gets your password, but you change it before he can use it, what he has is worthless, right?
Well — probably not. In this case, conventional wisdom may be counterproductive.
In 2009-2010, researchers at the University of North Carolina dug into the question. The FTC summarizes their experiment:
The UNC researchers obtained the passwords to over 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every 3 months. For each account, the researchers were given a sequence of 4 to 15 of the user’s previous passwords – their total data set contained 51,141 passwords. The passwords themselves were scrambled using a mathematical function called a “hash.”
In theory, that data should be useless — old passwords, again, are not the users’ current passwords. But we’re creatures of habit, and even though our employers want us to use brand new passwords, we prefer to use memorable ones. Per the FTC’s summary, the researchers “bserved that users tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to a similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
And unfortunately for anyone looking to protect a network from malfeasors, those “transformations” gave the UNC researchers enough information to predict other possible passwords. Given multiple tries, the research team was able to guess the last-used password of 60% of the accounts. In other words, changing passwords often gives hackers a rather easy way in.
This isn’t a surprise to the U.S. government, though. That FTC article is from 2016 — seven years ago — and concludes that “frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.” The National Institue of Standards and Technology (part of the U.S. Department of Commerce), per PC Mag, came to a similar conclusion in 2017: “Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.” So if you’re asked to change your password for no reason, you may want to let your cybersecurity team know: they may be making the company less safe.
From the Archives: The Tractors that Turn Farmers into Hackers: I’m pretty sure recent litigation has made this totally legal, but I have to check.