FTC Technologist Recommends Against Frequent Password Changes

When it comes to passwords, we are told many things. We are told to use at least a capital letter, lower case letters, a symbol, some numbers and while we are told all kinds of things about passwords, the worsts part is often remembering them as we are recommended to have frequent password changes and unique passwords for every system. A tweet by the agency regarding the former piece of advice got on the nerves of the FTC’s chief technologist who has openly challenged it.

During a keynote speech at BSides security conference in Las Vegas, Lorrie Cranor expressed surprise at the tweet saying that “I saw this tweet and I said, ‘Why is it that the FTC is going around telling everyone to change their passwords?'”. This advice is widely conflicted, with a rising number of security experts coming to believe that while it may protect you from inside attackers who know your passwords it may instead be leaving you to bigger breaches from external sources.

Cranor explained a recent piece of research stating that “UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation. They take their old passwords, they change it in some small way, and they come up with a new password”.

With all of this in mind, how secure do you believe your passwords to be? From both those around you and those across the world? Are you a victim of regular password changes?