First flossing, now password changes: Some of the oldest advice handed down appears to not have as much evidence to back it up as we thought.
Lorrie Cranor, a widely respected researcher appointed late last year as the FTC's chief technologist, said she was caught off guard upon reading an official FTC tweet that suggested regularly password changes were a best practice:
Indeed, at a recent BSides Las Vegas presentation, she said she started digging into where the recommendation came from, and found that FTC employees thought that, because their agency made them change passwords regularly, it was something others should do as well.
Instead, according to 2010 research she pointed staff to, it mostly just encourages users to add additional numbers at the end of their existing passwords, which provides a negligible barrier to cracking them.
"The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," Cranor explained, according to an Ars Technica story on the talk. "They take their old passwords, they change it in some small way, and they come up with a new password."
Instead, frequent password change rules generally frustrate users and might lead to them ignoring other, more useful security rules (like not marking down passwords on paper). At the very least, it hampers productivity. For Cranor, Ars reported, there was a happy ending:
"I'm happy to report that for two of my six government passwords, I don't have to change them anymore," Cranor said. "We're still working on the rest."
Maybe it's time other businesses try the same.