Frequent Password Changes Is a Bad Security Idea

I've been saying for years that it's bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTC's chief technologist, agrees:

By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on.

"The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation," Cranor explained. "They take their old passwords, they change it in some small way, and they come up with a new password."

The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.

That data refers to this study.

My advice for choosing a secure password is here.

Posted on August 5, 2016 at 7:53 AM • 63 Comments


CuriousAugust 5, 2016 8:07 AM

Reading this here now makes me go have a look at exactly how long my passwords are. I never had a clear idea for just how long they ought to be to be honest. I simply assumed my passwords were long enough. My passwords seem to be just below 20 chars on average, or, at least that is what I am having people believe here.

DanielAugust 5, 2016 8:51 AM

Let's be honest here. It might be poor security advice but it makes excellent and cheap security theater. We see this especially with big data breaches. When the company is too lazy to figure out what data was taken or whose accounts are actually being threatened why just make everyone change their password. It's exactly in line with...something must be done, this is something, let's do it!...regardless of the actual evidence. It's a good example of how public relations makes everyone worse off by externalizing costs.

Jay_BAugust 5, 2016 9:02 AM

The problem is, if you make the password changes less frequent, this will still happen. So you'll just have an even quicker path to determining the old password since it will have changed less frequently.

People won't suddenly make better passwords because they have to change them less often.

alexAugust 5, 2016 9:17 AM

It's true, I got lazy over the years, I started setting up passphrase schemes.

Basically any famous saying such as "dubito, ergo cogito, ergo sum" would get it's vowels turned to numbers. (well... most vowels)

So dub1t03rg0c0g1t03rg0sum.

A mix of Latin and scriptkiddie =) but it was easy for me to remember.

I've moved on to other schemes.

bilAugust 5, 2016 9:21 AM

With respect, I don't think your advice here:
is very good.

The XKCD cartoon refers to diceware passwords which are very robust passwords indeed because they are randomly generated. You shouldn't choose the words, I think that's where most folks get confused. Six random words from a 7776 word dictionary is pretty darn hard to crack.

Using a personally memorable sentence with some personally memorable tricks to modify that sentence into a password to create a lengthy password isn't random, and any scheme for memorable tricks has likely been used by many others and is thus implied in already cracked passwords.

Trust the math. And Kerckhoffs's principle.

not bad advice for people who use long random passwordsAugust 5, 2016 9:23 AM

Bruce, your own linked advice for choosing a secure password includes:

"Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them."

If people are wisely using long random passwords, then there is no obvious harm from changing one's password periodically, and arguably there is benefit (in case the password hashes were acquired and are being gradually cracked offline). Right?

u38cgAugust 5, 2016 9:51 AM

> not bad advice for people who use long random passwords

Which is precisely no-one. There are more unicorns on the internet than there are people using truly random 20 character passwords.

rAugust 5, 2016 9:52 AM

@not bad,

I have regularly used long irregular passwords since the 90's, I like to think of it like a game of hopscotch - my reservations over changing my password[s] include:

The network in question and software in use (at either end).

Carl 'SAI' MitchellAugust 5, 2016 10:08 AM

I have to chime in and agree with Bil. Humans are bad at randomness, passwords require randomness, therefore passwords should be generated by random processes, not via thinking up something that "seems" complex.

Use a password manager (Like Password Safe or KeePass), and use a long Diceware passphrase as the master password. Use Diceware passphrases when necessary and possible, eg for logging in to the computer where your password safe file is.

Tim BradshawAugust 5, 2016 10:13 AM

The disturbing thing about this is that I spent some time working out and writing down an algorithm for dealing with enforced password-changing while not ever actually changing password very much. The trick is that the system can keep the hashes of n previous passwords, but can only know the plain text of the current and immediately previous password. So it can fuss if you reuse the same password and if pairs of adjacent passwords are 'too close' ('password1' and 'password2') but it will be happy with sequences like 'password1', 'secret1', 'password2' 'secret2'. So what you need to remember is two base passwords, some fixed noise characters to satisfy the usual rules, and a sequence number (and you know which of the base passwords to use based on the evenness of the sequence number).

So you end up with a sequence of passwords which are trivial to guess (know two adjacent ones and you can predict all of them trivially) but which meets the rules.

Of course, I never used such sequences. Honest.

Tim BradshawAugust 5, 2016 10:26 AM

With regards to the diceware password thing: the problem is that if you try and do that then you spend your entire life running up against idiot software limits.

I have a program which uses /usr/dict/words and OS-supplied randomness (so, something I hope really comes from thermal noise not a PRNG, still less my head) to invent passphrases. On the system I'm using now there are nearly 50,000 words in the dictionary, so getting on for 8 bits per word, if the randomness really is.

And it's just a pain: the passphrases fail the annoying 'must have noise-characters' rules so you have to add some of those to each one. Then they fail the 'by the way your password can't be longer than 31 characters but I will report this as your passwords not matching' rule, then they fail the 'you can't have spaces in your password' rule and so on.

Almost all of the software we inflict on ourselves seems to have been written by people who think it is still 1956.

TatütataAugust 5, 2016 10:32 AM

I have worked at a place which imposed quarterly password changes and saw the effects of that policy.

Instead of remembering a reasonable password which you won't have to jot down, you are enticed to create a new crummy password every few weeks. I think that the possibility for compromise is far higher in the latter case.

In one of the main production applications, some dim witted code monkey was writing the password into a system log file, "encrypted" by an algorithm far inferior to ROT13... I immediately realized this when I saw the "encoded" string next to my own userid.

I was able to see what people were choosing for passwords, and it wasn't brilliant. They were indeed generally sequential in nature.

My own passwords were heavily influenced by the annoyance which this policy caused me, and I often picked expressions which would have made Nixon blush, in the expectation that someone in the IT department might be looking at them... In addition to adding sequence numbers, I also switched languages between iterations.

The password for this particular system was also the main password for all logins (mainframe, workstation, e-mail).

I never got an award or even an acknowledgement for raising this issue.

WhiskersInMenloAugust 5, 2016 10:45 AM

I recommend a physical pass word safe for Grandma.

Visit the local Wal-Mart and grab one of the pocket photo albums
for 4x6 photos and also grab a small batch of 4x6 note cards.
Print pictures of the kids and puppy to fill it up.
Note cards between the pictures for notes and yes pass words.

Those that use electronic password still need a strong
key to access their password safe.

The written key need not be the exact key for most of us
but for Grandma that might be fine.
It can be adjusted with a simple permutation.
Two long numbers and a phrase or name...
Add,subtract, multiply, add a birthday too.
1.5154178e+16 Which has letters and symbols to satisfy some
1.5s1e5c4u1r7e8e+16 if you want secure in it.

Note the social security admin wants a password change
every six months letters, numbers and symbols... Grandma
or Gramps will NEED to write it down and there is little need to
access the site but once or twice a year (what a pain).

dolphAugust 5, 2016 10:46 AM

Why not just use a password manager -to both generate and store your keys- and change your password frequently? It seems the obvious solution.

If your password manager does not generate good passwords:

#openssl rand -base64 24

LevAugust 5, 2016 10:56 AM

The other issue I don't see enough on this is the increased risk of social engineering. When passwords are changed frequently they're forgotten frequently, and reset frequently by IT support, which also means the reset procedures are streamlined to improve efficiency and become easier to social engineer. When a large part of IT support is simply resetting passwords its easy to talk them into resetting a specific accounts password, you often don't have to do anything more than ask, with no factors required to prove you're who you say you are.

Peter FranzénAugust 5, 2016 11:35 AM

My experience is that many people stay at an employer for about three years. Hence I usually recommend changing passwords every 2-3 years.

stineAugust 5, 2016 11:52 AM

re: u38cg

Two of my passwords not randomly generated 64-characters (providing the site (THANKS MICROSOFT) lets me use a long password), they're memorable phrases with misspellings odd capitalization and out-of-order words. Every other password that I use (currently numbering over 200) are all generated by my password manager.

Sometimes this causes problems. For example, when I have to log into a server via Dell iDRAC, i have to type in a 63 character upper/lower-alpha,numeric,symbol password, correctly, in less than a minute....and sometime this takes a dozen attempts to get it right.

On a different note, I never answer 'password hint' questions with real information, and if I can generate my own questions, they're random strings as well.

bilAugust 5, 2016 12:06 PM

u38cg, I did not realize I was rarer than a unicorn, makes me feel warm and fuzzy.

Tim, a password vault solves a lot of your issues. I have something like 800 truly random passwords of various length, each unique for a purpose. I use diceware when I can, and just random chars when I can't So I'm down to a half dozen diceware passwords with pads to meet complexity requirements that I remember and type regularly.

El AuraAugust 5, 2016 12:07 PM

On smartphones, it is often apps themselves that require passwords to login to any service the app provides. At least on iOS, unless the app developer explicitly provides support for a password manager, this requires a copy & paste from the password manager. I wonder how easy it is for other apps or websites to access the password stored in the pasteboard? Is it advisable to overwrite that pasteboard by copying another string? On OS X, I always delete any passwords from the pasteboard via a pasteboard manager.

El AuraAugust 5, 2016 12:10 PM

P.S.: I have also started to answer security questions with random, letter-based strings (stored in a password manager).

Ergo SumAugust 5, 2016 12:12 PM

Neither of the advice are useful, including Bruce's...

What difference the type of password you have makes, if the hacker can get a hold of your password hash? Cracking the hash is really not that time consuming with all of the computing power available for this purpose, as Bruce explained.

Getting the password hash requires either a local admin/root access to the authentication server and/or local system, or access to the network devices to capture it. One would have more issues on hand, if the password hash is accessible by the hacker.

The source of the password security issue is the malware-infected devices that had been with us for a long time and will continue in the near future. Ans such, it is questionable if 2FA authentication systems would be more secure form for authenticating end-users. Knowing that malware had exploited a number of 2FA systems already, authentication security issues probably will stay with us forever. Especially if the authentication devices are not secured and kept secured prior to rolling out 2FA.

SomebodyAugust 5, 2016 12:54 PM

One source of insecurity is imprecise thinking about security.

The number of bits of entropy in a password sets the ratio between the work required to break a password and the work required to verify the password. Really long passwords (more than about 30 bits) are only required because the people who verify the password are not willing to do enough work verifying the passwords, and they leak the hashes in the first place. Telling users to use longer passwords is telling the wrong people to fix the system.

To say 2FA is broken is pretty meaningless. 2FA covers too many different systems. Some are broken from the start. Others could actually work. It's not the two that's broken it's the factor.

de La BoetieAugust 5, 2016 1:22 PM

It's important to be clear what the password is for: the entropy needed for FDE is way larger than you'd need for an authentication with lockout. An administrator account needs to be stronger than a standard user one. One protected by 2FA can be less strong than one without. Website passwords are best done with a password manager, if necessary with some manual decoration.

Completely agree that frequent password changes are counterproductive, and the important thing is to compartmentalise and not reuse them. The 2FA can also serve as a repudiation/refresh mechanism on the actual password the system uses.

Due to typing efficiency, I'm very comfortable with the long Diceware approach, it's very memorable and not any slower than doing initial letters and frigs. I do not agree with Bruce's selection process, because it's not random, and I'd bet this showed up in password guessing. I have confidence in the roll of a lot of physical dice!

Note that EFF has refreshed some Diceware wordlists.

RIchardAugust 5, 2016 3:16 PM

Perhaps more attention should be given to user names. Guessing user names has been quite easy -- in some cases trivially so, as the spam bucket shows. I avoid single-sign-on like the plague and try to make my presences on the net as uncorrelated as possible.

I submit that long random user names should be the norm and that single-sign-on as a service should be made illegal.

But I also favor the death penalty for people who signal right and turn left and anyone who uses the term 'rregardless'.

rAugust 5, 2016 6:14 PM


Irrespective of your feelings on the usage of regardless, I agree with you on the point of your suggestion about usernames and people who signal right to turn left.

I add, can we include people that idle in the right lane to go straight to that list?

HappyApplesAugust 5, 2016 6:22 PM

RIchard wrote:

"I submit that long random user names should be the norm"

I was about to make the same point. On setting up a new entry in Password Safe I first generate a password according to the user name rules for the site, then use that as the user name, and then generate another password for the user password. I also use generated strings for security question responses.

"I also favor the death penalty for people who signal right and turn left"

Reminds me of the time I asked a passenger (while driving around a new-to-me busy city) whether I should turn right or left at a particular stop, and he then pointed left and said "go right", then when asked to clarify loudly repeated "I said RIGHT, no, the other right, the OTHER RIGHT, GO RIGHT!" while jabbing fingers only towards the left. We don't travel together any more.

ArchonAugust 5, 2016 7:16 PM

I work at a company that recently dropped its passwords from 90 days to 60 days. The solution for the people in the 61-90 range? Expire their passwords right now! Can't have anyone violating security policy!

I told the PHB this was a horrible idea, he did not listen. Now I have 1/3 of 2000 people calling me and very, very angry.

... anyone in Alberta need a desktop support guy? Will work for not-morons.

alexAugust 5, 2016 7:17 PM

@ergo sum
That's why I changed my scheme, I realized any access to the hash would negate the effort put in.

soothsayerAugust 5, 2016 9:20 PM


You should call your friends in Govt. to change this across Federal Govt.
Govt. Websites have thousands of system EACH with their own password policies and teams! EVERY ONE of them has 90 day rule .. with 15+ characters with all kind of nuttiness -- if you don't log in a change password .. you are locked out!

Can't reuse the recent 10 passwords! - it translates to writing the passwords all over the place .. in notebooks -- online and on monitors .. on keyboards.

This whole regime only helps keep useless people on the "help desk" busy who do nothing but reset passwords all day long.

My safe bet is that govt. is spending nearly $100million+++ year on password maintenance systems .. payroll .. benefits .. pensions .. whole army of troops and then countless wasted hours if you ever forget to change the password in the 90 days stipulated time -- a practically endless loop of unproductive activity.

Desmond BrennanAugust 5, 2016 10:30 PM

If Bob changes the password , then an interloper Alice is guaranteed at least one failed login attempt...which is amenable to detection.

Also , credentialled logons can be stolen without the password been known.

WaelAugust 6, 2016 12:03 AM

I don't view this as complete or even valid study. It focuses on user's habits, not on intrinsic properties of long lived passwords vs. short lived ones. To "Frequently" Change passwords is rather fuzzy: what is frequent? Dictionary definition of "on many occasions" or in "rapid succession"? Then what's considered "rapid"?

I see a valid study taking this form:

  • Isolate the user from the picture and evaluate the intrinsic security properties of a static password vs. a dynamic one -- short lived vs long lived. This is an exercise in probably theory, expectations and estimation. The above study is "statistical", and user centric.
  • Study the effects, cons and pros of changing the password vs. leaving it intact (unless there are indications the password had been compromised.)
  • Study the habits of users and the mechanisms they use to generate passwords, then make proper recommendations. And this is the part the above study worked on.

I don't believe it's conclusive because the first item hadn't been resolved, and the second isn't complete, unless I missed it - and I haven't searched for such study. Should be an interesting academic research project, perhaps complementary to the one referenced here.

My stance hasn't changed much from the past: You have to decide what works for you best. There are a few vocal opponents in the same thread to my comments.

Clive RobinsonAugust 6, 2016 12:43 AM

@ Wael,

probably theory,

What is the probability you are using a spell checker?

WaelAugust 6, 2016 1:00 AM

@Clive Robinson,

What is the probability you are using a spell checker?

Doubly strange! I didn't catch it even after I posted it. And you, out of all people, caught it :) Yep, the friggin spellchecker is on!

hermanAugust 6, 2016 1:02 AM

I only have about 3 passwords that I have to remember. The rest are in KeepassX and I have no idea what they are - total gobbledygook, 12 characters or more.

TatütataAugust 6, 2016 8:18 AM

If your password manager does not generate good passwords:

#openssl rand -base64 24

This doesn't solve the problem of creating a password that is both non-obvious and that can be easily remembered.

BTW, where does openssl get its entropy from? "/dev/random/" (*nix) and "CryptGenRandom" (Windows API)? Or it uses something else?

Impossibly StupidAugust 6, 2016 10:20 AM

"This doesn't solve the problem of creating a password that is both non-obvious and that can be easily remembered."

Well, you could add extra steps to the process and do something like:

echo -n "non-obvious, easily remembered" | openssl sha1 -binary | openssl base64

But the real crux of the problem is that everyone seems to employ different "rules" for makes for an acceptable password. So whether it's a diceware/xkcd passphrase or an encoded hash, it doesn't solve the problem of "special character" requirements or length limits.

"if I can generate my own questions, they're random strings as well."

That actually tips your hat to an attacker. If the question itself is "Pr3hR7QFQC2c", then they're not even going to bother trying, and so you'll collect less information about the attempt. You'd be better off using more common questions with "easy" answers, allowing them to trip themselves up by thinking they can answer "What is the name of your first pet?" when the actual answer you gave was "GlteLIyDYJ8".

Chris LeonardAugust 6, 2016 1:05 PM

This finding does NOT imply that frequent password changes are a bad idea. It implies that policies that allow predictable password transformations are a bad idea. Why not have password change tools that run a large set of transformations on the prior several password compared to the new one and kick out one that match? Microsoft does this in a minimal way, but how hard would it be to rake this data, now that we have it, and plug it into password change verification?

Gunter KönigsmannAugust 6, 2016 1:43 PM

If a tool keeps a list of the last n passwords of an user in order to make sure it can look at its permutations that is a severe security risk allowing for more persistent threads: even if the user finds a way to evade the tool's prediction logic the attacker that steals this database might be more intelligent.

It might be possible to record the plain-text-password only when it is entered in order to change to a new one and then to store only the hashes of potential predicted new passwords to disallow. But that is only a practical approach for fast hashes or low numbers of predicted passwords that might easily be evaded

SastrayAugust 6, 2016 2:03 PM

Does anyone know offhand if HIPPA or PCI compliance requires password changes?

PaulAugust 7, 2016 2:10 AM

I see just what you described all the time with my internal customers. It's always just enough to get past length and complexity requirements and then incrementing a number or month, etc.

I've tried getting people to use passphrases which I think are the way to go. I don't see using a long random string as a practical solution. Yes, you can use a password manager, but logging into your corporate computer means you would have to look up the password on some other device every time you logged in because it's too hard for people to remember especially due to the security theater of changing passwords constantly.

You have to take into consideration that they have many other passwords to remember and in the end they will just resort to doing the minimum which helps nobody.

Is there any reason that using a phrase such as "Ihave2dogsand1catinmyhouse!" is a bad password? The cracking programs don't go in sections to see individual words from what I've seen and have to crack the whole password. For example, the cracker can't take the second word "have" and look it up in a dictionary. If someone has made a rainbow table hash of a password that long, more power to them. I entered my example into a password checker and it said it would take 726 undecillion (726 with 36 zeros) years for a botnet to crack that password.

Make the password easy to remember but long and add in the special characters and numbers and I think you're okay. I do use a password manager, but sometimes have issues with it, or may not have it available which is a pain. You can even come up with a sufficiently long password and then append with "@apple" for example when logging into the Apple store so it can't be reused to log into other sites by automated programs if compromised. A human could figure out the scheme, but I don't think crackers are doing these things by hand.

homakovAugust 7, 2016 2:17 AM

ANything related to passwords is a bad idea, starting from reset by email ending using them in the first place.

AlexAugust 7, 2016 3:14 AM

Those passwords are already bad and changing them to other bad passwords is, indeed, a bad security idea. However, if you have a password manager which generates random, strong passwords, what can be wrong if you change your passwords frequently using a password manager?

chrisAugust 7, 2016 5:26 AM

Hey Bruce,
thanks for this study! I will write about it for german listeners! I think the frequently password is an old method to make system safe. Would it be safe, if people use password safes and password generators to renevew the password? (With strong parameneters)

Greets from Germany!

not bad advice for people who use long random passwordsAugust 7, 2016 2:12 PM

"Which is precisely no-one. There are more unicorns on the internet than there are people using truly random 20 character passwords."

What are you talking about? I use long random passwords, and as far as I've observed (from reading many comments) most people who use password managers do, too; why wouldn't they? The whole point of password managers is to permit you to use long difficult-to-remember passwords.

Do you really think that everyone who uses password managers does not use random passwords, or are you nitpicking about whether such long randomly generated passwords are "really truly" random (as if that would make a serious practical difference in the context of long random passwords), or what? I'm not sure what your point is (or if it's a strange joke I'm not grokking.)

Kevin NelsonAugust 8, 2016 8:47 AM

My biggest problem is that I have about 100 different passwords at this point. I have had to use an online password keeper to keep track of all of them. I use an easy password for non-critical websites, such as newspapers; the criteria being that if the password is cracked, it won't cost me anything.

MikeAAugust 8, 2016 11:32 AM

I'm hoping everybody here realizes that the people who promulgate these policies are _not_ here. Three stories:

1) At one hot-shot (since deceased) Internet equipment vendor, the *nix folks had the usual "better than nothing, and occasionally quite good" password policies, with corporate dictated enforced password aging. Every Windows system had a simple GUI to log into *nix systems when needed. It did not correlate the Windows ID with the *nix ID, just presented a drop-down menu of all *nix usernames, and logged in as that user. Of course, very few Windows machines had screen locks, so, essentially anybody could walk up to an unattended Windows machine and log into the *nix systems as any user.

2) At a major vendor of Internet equipment, I ran into the "head of security" for IT, and brought up the issue of this sort of password policy, and how its problems had been known for decades. His reply: "I know, but it's not my call". That is, the person "in charge" of network and IT security was _overruled_ by a PHB who couldn't tell you what "hash" and "salt" were in a non-breakfast context.

3) At my next job, I found that the Windows Admin. password was the same on every system, and was [corp name][Month/year of most recent password change].

All these policies were set by folks who I am virtually certain don't even know Bruce's name, but set policy that effects people who have read Cryptogram for decades. Preaching to the choir may feel good, but it won't really change anything.

Michael PinsAugust 9, 2016 2:05 PM

You'd be surprised at how many otherwise smart people are still advocating frequent password changes. And in a few cases (i.e. student accounts) it actually does make sense. However, in a corporate setting it's nearly always a bad idea. I've been fighting this battle for something like 20 years now.

When implemented, a sizable proportion of the userbase will do one of two things:
1> Pick (often bad) rotating transforming passwords
2> Pick good passwords, but then write them down on a sticky-note, which is stuck to their monitor, under their keyboard, on in their top desk drawer.

And yes, I've caught IT personnel with server root privileges doing both of the above.

Mark SitkowskiAugust 14, 2016 5:53 PM

How about this?
You have a password, "FRED", that only you know. When you login to the system, you're presented with this:
You type "1001" and the malware on your PC thinks that it has your password, and so does the network snooper. The guy looking over your shoulder is confused...
No need to remember 64 digit passwords, no need to change them every month, no need for password managers.

WaelAugust 14, 2016 6:05 PM

Mark Sitkowski,

you're presented with this: ABCDEFGHIJKLMNOPQRSTUVWXYZ 10010111010011011000100001

SecureMatrics uses a similar, but more elaborate idea.

Mark SitkowskiAugust 14, 2016 8:57 PM

I was actually thinking of the Forticode system, but there's another system called Pinsafe, which is a highly insecure version of all three.

Clive RobinsonAugust 15, 2016 3:14 AM

@ Mark Sitkowski,

What about the friend of FRED, ANNA, are they realy twins ;-)

The system at the lowest level is like those door systems you see in banks where the buttons have seven segment leds under them and the 0-9 gets displayed randomly, so each time a user has a different keying pattern to --supposadly-- stop shoulder surfing.

An earlier system used a grid system printed on a card in a snap open tamper evident case, so that challenge and response codes could be given over a phone all be it very slowly (supposadly used in the early versions of the "nuclear football").

MarkusAugust 22, 2016 8:46 AM

I believe most of the guys in the security community and also in the comments here are quite unrealistic.
When it comes to password security you only consider the machine but not the human. Most humans just do not have the capacity to memorize, what you guys call a secure password. And than it is not only one secure password but there are 10 or 20 of them to memorize.
This will cause actually very weak passwords because they end up being stored on paper or on devices which security is not controlled by your organization. This makes even the longest and most randomized password easy accessible by common attackers.
Oh, yeah, great, I forgot, there are password saves which the user should use. This opens a new question. Where are those password saves installed and where are the passwords kept? Most times on the smartphones of the users. Again those passwords security will be out of control of your organization. It does not make sense to have them on the corporate workstation of the user as he needs the password from the save to log onto the workstation.
So, as a result, I see only one chance to increase the security for authentication. This is to do the investment and move away from single password authentication. Leave password simple and in a way an average user can easily memorize it and add a second factor. I have not seen many organization do the obvious and reuse the proximity card they already have for authentication on their physical doors to have a second factor for their logical infrastructure. Or I've even seen organization handing out business laptops with a finger print scanner to all employees but don't use it to secure the device without torturing the user with frequent expiring complex and long passwords.
Don't rely with your security on the discipline of the users. They will always find a way to breach your security to get their work done at the end of the day.
Try to combine an increase of security with an increase of convenience for the user and you will have a really big win.

BillAugust 22, 2016 10:22 AM

I've been making this less-than-popular recommendation for many years, so it's great to see some research backing up what we should all know intuitively.

If you force users to do something that they find completely unreasonable, they will find the easiest path they can to get around it. Whether it's using patterns, post-it notes or both, making things very hard on the user doesn't tend to improve security.

I have long recommended that the focus should be on longer, more complex passwords that are changed less frequently. If you can also convince your users to compartmentalize their password, e.g., don't use the same passwords for personal and business accounts, then you can achieve an even greater bump in security.

It's good to occasionally change passwords, but more than once every year or so doesn't improve security.

Clive RobinsonAugust 22, 2016 11:51 AM

@ Markus,

Most humans just do not have the capacity to memorize, what you guys call a secure password

ve been saying this one way or another since the mid 1980's, but it almost always falls on deaf ears or gets spiked by the ego of Not Invented Here...

But as @Nick P will point out --as we both have in the past-- this "human failing" has been known and talked about for over sixty years in what we now call the IT industry. But even longer --probably between a hundred and fifty and two hundred years-- if you take into account the same issue applies to the likes of combination locks...

ScottOctober 11, 2016 6:05 AM

Frequent password changes would only be a bad idea if the person trying the break the password had access to the password history, including the current password. Even if the identified patterns were exposed, simple account lockout and two factor auth would handle the restricting the many efforts to identify the which pattern was used, if they had one revision of the password to begin with. Better yet if there were something watching the attempts, the source could be identified and restricted.

If the length, complexity, randomness and rotation of passwords is truly an issue in combination of humans creating and remembering them, why do we still use them? Does it make sense to apply system requirements to the human resource, or should the system understand enough about the human that a password is not necessary?

Change the method of authentication to fit the enduser then the question goes away.

BillNovember 1, 2016 6:24 PM

Frequent password changes result in people writing them down. Frequently in a list showing all the old one and new ones. Then, this list is placed some place insecure where others can see it. Thus, the very concept of password security becomes a method to make access insecure.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.