There's a lot of debate about which kinds of passwords are the most secure, but most agree you should change your passwords often to keep those pesky hackers guessing. However, it turns out that IT departments' obsession with mandatory password changes could be all wrong.
Photo: reynermedia, Flickr
According to FTC Chief Technologist and Carnegie Mellon computer science professor Lorrie Cranor, research suggests that if you have to change your password all the time you'll put much less effort into picking a secure one.
She explains her findings from one particular study:
“[People] tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Sound familiar? Exactly. That's why changing your password a lot just isn't smart when it comes to security. In fact, Cranor suggests that those who really want to hack into accounts can do so quite easily via offline attacks that guess a large number of passwords. So your constant changing isn't really going to slow them down that much anyway.
Time to start showing your IT department some of the latest research to keep your company secure and save you a bit of time in the long run.