{"id":8854,"date":"2024-03-01T17:03:37","date_gmt":"2024-03-01T21:03:37","guid":{"rendered":"https:\/\/tcn.tidbits.com\/?p=10330"},"modified":"2024-03-01T17:33:51","modified_gmt":"2024-03-01T21:33:51","slug":"changing-passwords-periodically-doesnt-increase-security","status":"publish","type":"post","link":"https:\/\/www.macworks.com\/blog\/changing-passwords-periodically-doesnt-increase-security\/","title":{"rendered":"Changing Passwords Periodically Doesn\u2019t Increase Security"},"content":{"rendered":"<p>Does your organization or some financial website require you to create a new password periodically? This practice was recommended long ago, but some organizations haven\u2019t kept up with current recommendations that discourage such policies. If you\u2019re bound by a password expiration policy, you can use this article to encourage your IT department or financial institution to update its approach to password security.<\/p>\n<p>The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn\u2019t change the password, and that access wouldn\u2019t last indefinitely.<\/p>\n<p>Over time, security experts realized that the problem wasn\u2019t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that <a href=\"https:\/\/www.ftc.gov\/policy\/advocacy-research\/tech-at-ftc\/2016\/03\/time-rethink-mandatory-password-changes\" target=\"_blank\" rel=\"noopener\">users often choose weaker passwords<\/a> when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn\u2019t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.<\/p>\n<p>The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, <a href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html#reqauthtype\" target=\"_blank\" rel=\"noopener\">NIST changed its guidelines<\/a> to say, \u201cVerifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).\u201d In a <a href=\"https:\/\/pages.nist.gov\/800-63-FAQ\/#q-b05\" target=\"_blank\" rel=\"noopener\">FAQ<\/a>, NIST explains:<\/p>\n<blockquote><p>Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.<\/p><\/blockquote>\n<p>Of course, if there\u2019s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately\u2014that\u2019s entirely different than requiring passwords to be changed on a schedule.<\/p>\n<p>Interestingly, NIST also doesn\u2019t recommend password composition requirements\u2014such as requiring the password to contain a letter, number, and special character\u2014because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that\u2019s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.<\/p>\n<p>If you\u2019re forced to change a website password periodically, it\u2019s easiest to use a password manager to generate and enter a new strong password, and you won\u2019t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won\u2019t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.<\/p>\n<p>(Featured image based on an original by iStock.com\/designer491)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Does your organization or some financial website require you to create a new password periodically? This practice was recommended long ago, but some organizations haven\u2019t kept up with current recommendations that discourage such policies. If you\u2019re bound by a password expiration policy, you can use this article to encourage your IT department or financial institution [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8855,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,69,106,112,185,104],"tags":[],"class_list":["post-8854","post","type-post","status-publish","format-standard","has-post-thumbnail","category-apple","category-apple-consulting-ct","category-apple-support-ct","category-mac-support-ct","category-mactech","category-security"],"_links":{"self":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/8854","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/comments?post=8854"}],"version-history":[{"count":1,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/8854\/revisions"}],"predecessor-version":[{"id":8862,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/8854\/revisions\/8862"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media\/8855"}],"wp:attachment":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media?parent=8854"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/categories?post=8854"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/tags?post=8854"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}