Changing Passwords Regularly May Be Insecure

password1Bruce Schneier had an interesting post where he attacked the commonplace practice of requiring regular password changes.  Usual corporate IT policies require changes every 90 days, and in some high security environments, more frequently than that.

The basic issue with frequent password changes is that humans will create a system that makes it easy to remember the next iteration of the password.  This makes it easier for attackers to try and guess what your next password is too.

For example, at Secure 360 last May I sat in a presentation on password cracking, and the presenter discussed what sort of trends he was seeing in the password cracking he was doing as part of a penetration test for client companies.  One standout was the frequency that month and year passwords were appearing in the results.  That’s right – the popular password this month is “August2016!” with the exclamation point adding the necessary “complexity.”  But how complex is this when this is a known trend.  So an attacker merely has to try a few month/year variations and at some point he will find a winner.  The outstanding thing is that many of your coworkers have come up with the same plan and have the same password as you!

So the contrary idea – let people choose a password and keep it indefinitely – may actually produce more difficult to guess passwords.  I know that I have used the same password for many of my online accounts for a long time without incident.  Usually, I will change the password if I suspect there has been unauthorized access, or if the web service notifies me of unusual activity on the account, or when I read about a large password breach for a certain web site in the news.

Plus I have taken wholeheartedly to using a password manager (LastPass) that can create unique random passwords for me, and insert them into the sign-in box automatically.  And let’s not forget two-factor authentication either.  These solutions overcome many of the weaknesses inherent in user generated passwords.

Perhaps it is time to look at this requirement to corporate IT policy and replace it with something better.

More Information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.