Frequent password changes are the enemy of security, FTC technologist says
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Dan Goodin
Shortly after Carnegie Mellon
University professor Lorrie Cranor became chief technologist at the
Federal Trade Commission in January, she was surprised by an official agency tweet
that echoed some oft-repeated security advice. It read: "Encourage your
loved ones to change passwords often, making them long, strong, and
unique." Cranor wasted no time challenging it.
The reasoning behind the advice is that an
organization's network may have attackers inside who have yet to be
discovered. Frequent password changes lock them out. But to a university
professor who focuses on security, Cranor found the advice problematic
for a couple of reasons. For one, a growing body of research suggests
that frequent password changes make security worse. As if repeating
advice that's based more on superstition than hard data wasn't bad
enough, the tweet was even more annoying because all six of the
government passwords she used had to be changed every 60 days.
"I saw this tweet and I said, 'Why is it that
the FTC is going around telling everyone to change their passwords?'"
she said during a keynote speech at the BSides security conference in Las Vegas.
"I went to the social media people and asked them that and they said,
'Well, it must be good advice because at the FTC we change our passwords
every 60 days."
Cranor eventually approached the chief
information officer and the chief information security officer for the
FTC and told them what a growing number of security experts have come to
believe. Frequent password changes do little to improve security and
very possibly make security worse by encouraging the use of passwords
that are more susceptible to cracking. The CIO asked for research that
supported this contrarian view, and Cranor was happy to provide it.
The most on-point data comes from a study published in 2010
by researchers from the University of North Carolina at Chapel Hill.
The researchers obtained the cryptographic hashes to 10,000 expired
accounts that once belonged to university employees, faculty, or
students who had been required to change their passcodes every three
months. Researchers received data not only for the last password used
but also for passwords that had been changed over time.
By studying the data, the researchers
identified common techniques account holders used when they were
required to change passwords. A password like "tarheels#1", for instance
(excluding the quotation marks) frequently became "tArheels#1" after
the first change, "taRheels#1" on the second change and so on. Or it
might be changed to "tarheels#11" on the first change and "tarheels#111"
on the second. Another common technique was to substitute a digit to
make it "tarheels#2", "tarheels#3", and so on.
"The UNC researchers said if people have to
change their passwords every 90 days, they tend to use a pattern and
they do what we call a transformation," Cranor explained. "They take
their old passwords, they change it in some small way, and they come up
with a new password."
The researchers used the transformations they
uncovered to develop algorithms that were able to predict changes with
great accuracy. Then they simulated real-world cracking to see how well
they performed. In online attacks, in which attackers try to make as
many guesses as possible before the targeted network locks them out, the
algorithm cracked 17 percent of the accounts in fewer than five
attempts. In offline attacks performed on the recovered hashes using
superfast computers, 41 percent of the changed passwords were cracked
within three seconds.
A separate study from researchers at Carleton University
provided a mathematical demonstration that frequent password changes
hamper attackers only minimally and probably not enough to offset the
inconvenience to end users.
Over the past few years, organizations including the National Institute of Standards and Technology in the US and UK government agency CESG
have also concluded that mandated password changes are often
ineffective or counterproductive. And now, thanks to Cranor, the FTC has
also come around to this thinking. But don't count on everyone doing
away with regular password changes.
"I'm happy to report that for two of my six
government passwords, I don't have to change them anymore," Cranor said.
"We're still working on the rest."
Comments
Post a Comment