Why Constantly Changing Your PC's Password Might Not Be A Good Idea

There's a lot of debate about which kinds of passwords are the most secure, but most agree you should change your passwords often to keep those pesky hackers guessing. However, it turns out that IT departments' obsession with mandatory password changes could be all wrong.

Photo: reynermedia, Flickr

According to FTC Chief Technologist and Carnegie Mellon computer science professor Lorrie Cranor, research suggests that if you have to change your password all the time you'll put much less effort into picking a secure one.

She explains her findings from one particular study:

“[People] tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”

Sound familiar? Exactly. That's why changing your password a lot just isn't smart when it comes to security. In fact, Cranor suggests that those who really want to hack into accounts can do so quite easily via offline attacks that guess a large number of passwords. So your constant changing isn't really going to slow them down that much anyway.

Time to start showing your IT department some of the latest research to keep your company secure and save you a bit of time in the long run.


    One alternative is for the IT department to enforce such onerous restrictions:

    * forced update every three months
    * can't be the same as or similar to previously used passwords
    * minimum ten characters
    * must include at least one uppercase letter
    * must include at least one lowercase letter
    * must include at least one number
    * must include at least one special character

    that no one can remember their password so they just write it on a Post-it note stuck to the bottom of their keyboard.

    Yay security!

      Don't forget:
      * must contain one heiroglyph
      * must contain one emoticon
      * must contain one verse of Shakespearean sonnet that doesn't come from Romeo and Juliet

      Also, the longer the password the better and secure it will be.
      Not even an off-line attack against it will crack it.

    It's not the IT Department forcing this; it's generally risk, audit or compliance. Things have changed, but the documented 'good practice' has outstayed it's welcome. IT is sometimes just the messenger. Sometimes they don't even agree with the message.

    Can't argue because it's exactly what I've done. Couldn't be arsed getting my new cryptic passwords rejected for some stupid reason so I've taken the path of least resistance. I agree... Yay security... or not...

Join the discussion!

Trending Stories Right Now