I have more passwords than I would care to admit to and each of those passwords have their own rules and expiration dates. Some say I have to use numbers, special characters, and caps while others limit the characters I can use. Some passwords I have to change every 30 days, some every 60-90 days. It’s exhausting trying to keep up with the numerous passwords that rule my everyday existence.
With everything that we have to remember, it is not overly surprising that research is showing that the more we have to change our passwords the less secure they can become. In order to remember all of these constant changes, we find ourselves following patterns and becoming less creative and careful with our passwords. This is what researchers at UNC found when they reviewed over 7,000 accounts. They created “Transform-based algorithms [that were] buil[t] from the presumption that a typical user will generate her next password by making systematic modifications to her current one.” Or as the chief technologist at the FTC stated in an article earlier this month, “there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.”
Since password policies probably won’t be changing anytime soon; what should we take away from this information? I think we should remember to be a bit more careful next time a password expiration comes up and we should also be embracing the two-step authentication options that so many sites provide now.