Password-Changing Policies and the Promise of New Alternatives

“People ask me all the time, ‘What keeps you up at night?’ And I say, ‘Spicy Mexican food, weapons of mass destruction, and cyber-attacks.’” Dutch Ruppersberger, U.S. Representative

For years, we’ve been functioning on the premise that frequently changing our passwords is a good thing—so much so, that many corporations have made frequent password changes a mandatory activity. Supposedly, it was better for security. Supposedly, it would protect us from increasingly sophisticated hacks and attacks. But is that true?

Across the board, passwords aren’t a strength for many people. So much the opposite in some cases that designers have actually been forced to hardcode a ban on the word “password” so people won’t use it within their login criteria.  And sure, “Tr0ub4dor&3” is better than “Password1,” as scientific theorist and XKCD creator Randall Munroe points out, but you know things still aren’t great when, “through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”  Cyberattacks continue to become more sophisticated and there’s been no shortage of organizations and individuals who have been harmed by the theft of billions of usernames and passwords—including your favorite email providers and plenty of government departments. Does changing a password every so often to try and stay ahead of malicious hackers really help against these attacks? Some say no.

For protection, Lorrie Cranor, Carnegie Mellon computer science professor and Chief Technologist at the Federal Trade Commission, urges people to rather change their passwords only under specific situations, such as when they think their password has been stolen, they’ve shared a password with a friend, they caught someone looking over their shoulder when typing in their password, or if they think they’ve logged into a phishing website. If you’re the unwitting victim of a leak—or you’ve been “pwned,” in the words of web security expert Troy Hunt—then changing your password in time could (maybe) save you from a would-be hacker.  

But Cranor understands that human brains aren’t wired for memorizing constantly shifting mumbo-jumbo: “What we’re asking people to do is to come up with something that’s unpredictable. By definition, something that’s new and crazy and unpredictable is going to be hard for me to remember, and maybe even come up with in the first place.”  That’s hard enough for users to do in the event of a breach, and even less so when a policy forces a new password to be introduced frequently as a supposedly preventative measure.

“Cybersecurity is a shared responsibility, and it boils down to this: in cybersecurity, the more systems we secure, the more secure we all are.” Jeh Johnson, former U.S. Secretary of Homeland Security

Discontent, Confusion, and Security Fatigue: An Invitation for Exploitation

Since users tend to forget passwords over time—and more changes lead to increased confusion and forgetfulness—it makes sense that people tend to use the same or similar passwords across the internet, especially when the change is forced and urgent, rather than necessary after a potential breach. These required changes don’t necessarily help anyone but those looking to steal information, as Carleton University researchers demonstrated mathematically that frequent password changes hamper hackers insignificantly in proportion to the inconvenience also caused to users—they further point out that an attacker who already knows a user’s password is likely to easily crack newer passwords—or can install a key logger or malware so that password changes don’t even make a difference.  

Likewise, the National Cyber Security Center (NCSC) agrees that required password-changing policies have become a counter-intuitive scenario: “The more often users are forced to change passwords, the greater their overall vulnerability to attack . . . Attackers can often work out the new password if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.” 

“To completely perform rectifying security service, two critical incident response elements are necessary: information and organization.” –Robert E. Davis, security and audit consultant

Because in fact, subconsciously, a lot of us really don’t believe we’ll ever get hacked at all, just as most of us don’t think we’ll crash and get hurt if the seatbelt is left off for a just quick drive across town, because what are the odds? In these ways, humans tend to be overly optimistic or forgetful, which sometimes makes us irrational. Because of this actually imaginary invulnerability we all think we have and the simultaneous urgency we all feel to just get through our login process, password security can often fall victim, especially it’s when it’s prompted by a policy and seemingly unnecessary. Correspondingly, it’s also no surprise that frequent password changes lead to discontent, frustration, and security fatigue among users affected. 

Wendy Zamora of Malwarebytes Labs points out that memorizing and changing an average of 27 different passwords means that users quickly fall back on bad habits, like writing down their passwords on post-its or using the same password for multiple logins, making them easy victims when actual attacks push through.   Communications specialist and executive director of IFFOR, Kieren McCarthy, further explains that it’s not just about the password itself, but about the frequent changes as well: “If people have to keep changing their passwords, they will tend to use shorter and less secure versions. They put less store in a password’s inherent security because it’s going to change again soon.” Recurrent modifications also eat up an enormous amount of resources, McCarthy points out: “Systems have to be constantly updated and people have to be constantly urged to make changes. And, of course, they keep forgetting the ‘new’ password, leading to more changes and more time with tech support.”

Safer Alternatives

Big corporations have taken note of such backlash to prompted password changes—Microsoft dropped its forced periodic password policy in April 2019, calling the practice “an ancient and obsolete mitigation of very low value,” and admitting that there are better ways to protect systems instead of forcing password expirations every 60 days. Still, the Windows manufacturer encourages strong, long, and unique passwords while vouching for detecting password-guessing attacks and anomalous log-on attempts, and it enforces banned password lists as well.  Against attackers, the NCSC now recommends system monitoring tools that present users with information about the last login attempt, allowing individuals to report an unfamiliar login attempt for investigation.  But passwords don’t have to be the only bit of protection data has anymore, and these extra measures have become more and more popular.

Yes, as both technology and cyberattacks have evolved, other security alternatives have also cropped up over the years in an effort to both further secure data and provide stress relief to users—including speech-activated passwords. Used by banks, big retailers, and U.S. government departments to deal with tax and pension issues over the phone, voice activation isn’t a bulletproof strategy by itself, since voice can still be emulated with fragments of “voiceprints” found online, but it is at least a bit more unique than entering “password” into a login field.

In the same vein, we might soon be seeing more “cardiac signatures”—essentially heartbeat passwords, spearheaded by a Canadian firm who made a Nymi Band bracelet to let people prove their online identities using their heartbeat instead of a password.  And these days, you can easily buy a phone that recognizes “cognitive fingerprints”—once a work in progress by the U.S. military and based on the field of behavioral-based biometrics. In fact, all the latest devices are upping the ante with the growing popularity of fingerprint scanning, iris recognition, and facial ID that allow us to back up our memorized string of number and letters with more unique verification that allows for more security.

“There’s no silver bullet solution with cyber security. A layered defense is the only viable defense.” –James Scott Brown, Institute for Critical Infrastructure Technology

But the most popular new safeguard—recommended by Microsoft and others—is multi-factor authentication, which has become an especially popular option in safeguarding passwords, particularly regarding the protection of confidential and sensitive data. It’s an alternative that is typically threefold, requiring “something you know” (i.e. usernames and passwords or security questions), “something you have” (such as a verification code received on another account or device), and “something you are” (including a fingerprint or retina scan and voice/facial recognition). However, if multi-factor authentication isn’t an option, another viable alternative is password vaults, or typically web-based programs that keep multiple passwords safe in an encrypted online storage space.  Vaults require one single master password to access the several different ones secured within—those users have for personal websites, applications, or services. But again, vaults are only as secure as you make them—there are still ways an attacker can get around these defenses, and here again, multi-factor authentication on a password vault does promise more safety than a one-step login would on the same encrypted space.

As more and more data and operations move online to digital formats, passwords become more and more important, and their security has likewise become paramount. Tracking and managing so many complicated logins can be frustrating in the same way having to update a password can be, so much so that it may cause a momentary lapse that might allow malicious attacks through somewhere down the line. These lapses and the subsequent hacks can lead to disaster, and fortunately for humans and their tricky memories, technology is advancing in ways to help us protect our personal accounts and data. It’s still not bulletproof, but we’re on the right track.

About the Author

Avani Desai

Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not-for-profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.

Follow on Linkedin Visit Website More Content by Avani Desai
Previous Article
WFH - Baby Mama Edition
WFH - Baby Mama Edition

In our “new normal” most of us are still getting used to working from home. The prospect of staying home pr...

Next Article
Life as a Military Wife & Daughter
Life as a Military Wife & Daughter

While I have never served myself, the military has influenced so many aspects of my life. I feel appreciati...


First Name
Error - something went wrong!