Back in the Middle Ages, the bubonic plague killed off almost a third of Europe’s population. This was despite various government efforts to hand out masks and to quarantine thousands of sick people in separate towns or even underground crypts. Though that pandemic was eventually stemmed, the disease hasn’t really disappeared. People are still contracting – and animals are still carrying – the illness that came to be known as the “black death.”
Today’s IT specialists are something like those 14th century government workers. IT departments create manuals and policies that all contain some variation on two basic mantras about data security: Make your passwords strong, and change them often. That’s why we users add in those extra exclamation points and dutifully obey our software’s orders to “choose a new password” every 60 days. But instead of a cure, these IT manuals are actually spreading a virus.
As it turns out, the password expiration requirement – like those famous 14th century beaked masks – make people think they’re safe instead of addressing the real problem. As a result, as the illness spreads, efforts to stem it with traditional techniques are met with nothing but frustration.
Expiring passwords provide a false sense of security
Password expiration was implemented as a solution for non-networked servers at the Department of Defense almost 30 years ago. It has since become an outdated technique. The reality is that modern hacking software can go through thousands of commonly-used password words in a matter of seconds (a task made dramatically easier when the most commonly-used password is “password.”) That makes the 60-day change policy on your password virtually ineffective.
Resetting your password every few weeks has no impact on a thief who wants to access your data to steal information immediately. Most theft is acted on within minutes or hours of the password theft. The culprits don’t usually hang on to your credit card number or social security information without using it or selling it within a matter of days..
Unless the danger is of someone using your password to repeatedly access your system over a long period of time (a problem that most hackers can easily solve by building central access for themselves once they’re in), password expiration is not the answer.
Replacing expired passwords may actually make us less safe
What’s more, password expiration policies tend to burden users with memorizing new passwords. This leads to several dangerous practices:
- writing down passwords and storing them in unsafe physical locations;
- choosing very simple passwords; or
- choosing shorter passwords.
Each of these outcomes makes passwords easier to crack or access. In fact, according to the National Institute for Standards and Technology, making a password even one character shorter will cut the time required to hack that password in half.
Remember the first time you got that “Your password has expired” message? Whether or not you were surprised, your first reaction must’ve been something along the lines of “Shoot…I had just finally memorized my old one!” Most of us – even those who vehemently deny being lazy about password security (who are you, anyway?) – then go on to develop some sort of pattern to help us remember this password and the several that will come after it. Your password system may involve switching around the numbers or letters in your existing password, using a different family member’s name in each password or even rotating between your favorite foods. Whatever it is, it’s likely to somehow relate to the password that you had before.
Researchers at the University of North Carolina confirmed the occurrence of these patterns in a recent study. They showed that at least 41% of passwords can be broken in a matter of seconds if the thief knows the previous passwords.
What does that mean? In a nutshell, if hackers get access to whatever dump pile your old, expired passwords dropped into, they now also have a better chance at guessing your new password.
Why change a password?
So changing your password for a particular site at regular intervals is unlikely to help you much. You may be forced to do it by your bank, your employer or even your local library. But don’t for a minute think that you’re done keeping your data safe.
Instead of focusing on when you change your passwords, focus on where and how you use them. As PC Mag summarizes, “Using different passwords for different accounts and Web sites really is beneficial, as is using complex, non-guessable passwords.” Using a password management tool to create strong passwords could also help.
One last tip: All passwords are not equal. Studies show that users recycle the same password on an average of 8 websites. That’s not always a bad thing! Your Pinterest account could probably share a password with your neighborhood listserv. Instead of coming up with complex, unique passwords for every website, save your energy to memorize strong passwords for the websites that hold more of your personal and financial information.
After all, in order to cure the plague, we had to spend a lot of time and modern medical techniques to understand it. In the same way, if we want password policies to be the solution, we must first understand the problem.