Forcing users to change their passwords may do more harm than good

Research into compulsory password changes found that they didn't necessarily improve security, according to the FTC's Chief Technologist, Lorrie Cranor

Forcing users to change their passwords regularly "may actually do more harm than good," according to Lorrie Cranor, who is both the US Federal Trade Commission's Chief Technologist and a professor at CMU. The topic has been debated for decades, but Cranor's recent blog post has some serious research to back up her point.

Computer password screen

One interesting finding was that if the researchers cracked a password, they could often (in 17% of cases) get that user's next password in less than five guesses. Unfortunately, when forced to provide a new password, users often made a minor change to their existing password. For example, in a simple case, secret10jan could be changed to secret10mar.

The main point of forcing password changes is to lock out people who know a legitimate user's password. But if users make programmatic changes, they can probably work out the new password as well.

Further, Cranor notes that "There is also evidence from interview and survey studies to suggest that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down."

Again, this is what you'd expect. Users who are asked to create a secure password that will last them a decade might come up with something harder to guess but, initially, somewhat harder to remember. If asked to create a password that will only last three months, they're more likely to pick something less burdensome and therefore easier to crack.

Rather than forcing password changes, then, it's probably better to make people use longer (generally stronger) passwords, and to enforce the use of some non-alphabetic characters. As a way of increasing password security over the long term, education probably beats compulsion.

Of course, with important systems, it's better to enforce some form of two-factor authentication. Even if the best user-generated passwords can withstand today's advanced cracking techniques, they are still are susceptible to shoulder-surfing, phishing, and social engineering attacks.

The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis (PDF)