Frequent Password Changes Is a Bad Security Idea


According to Security Expert Bruce Schneier, frequent password changes are a bad security idea despite what all the experts keep telling us.

In his a recent blog, Schneier states, “I’ve been saying for years that it’s bad security advice, that it encourages poor passwords.”

According to Schneier, By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. Schneier explains a password like “tarheels#1”, for instance (excluding the quotation marks) frequently became “tArheels#1” after the first change, “taRheels#1” on the second change and so on. Or it might be changed to “tarheels#11” on the first change and “tarheels#111” on the second. Another common technique was to substitute a digit to make it “tarheels#2”, “tarheels#3”, and so on.

Schneier quotes Lorrie Cranor, the US Federal Trade Commission’s chief technologist,who recently stated at Passwords Con 2016 “The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor explained. “They take their old passwords, they change it in some small way, and they come up with a new password.”

The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.

You can read more from Bruce Schneier on his blog at