We’ve all heard the recommendations of “experts,” the media, and even the US government: Use complex passwords. Use different passwords on every website. Change your passwords often.
Here’s why you should ignore these and several other suggestions so commonly repeated that people often accept them as true without question:
1. Using the same password for multiple accounts is sometimes preferable to alternatives.
Vis-à-vis passwords, the United States Federal Trade Commission warns:
Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts.
Likewise, American Express recently sent an email to customers advising “Use different passwords for all the sites you use.”
I firmly disagree. While it is certainly true that passwords to sensitive sites should not be reused, it is perfectly acceptable to reuse passwords to sites where the security is of no concern to the user; for many people, such sites compromise a significant percentage of the sites for which they have passwords. For example, people today have a plethora of “accounts” that are created to access free resources; users provide no confidential information to these sites nor do they perform any financial transactions with them. These “accounts” exist primarily for the benefit of the service providers to track their users for all sorts of marketing purposes, or to ensure that comments are ascribed to user handles. Often the information users provide to these sites are no more than an email address and password. Is it truly of concern to users if a criminal who breached one such account gained access to the others? What real implications are there to the “victims” whose passwords were compromised – that a criminal will know what article topics a user with a particular email address likes? (While such information could be leveraged for social engineering type attacks, that information already likely can be ascertained from social media sites, etc.) So, instead of creating many new passwords why not just accept that people have limited memories; if using the same password or similar passwords on “no need to secure my information” sites allows a person to create and remember stronger passwords to sites that truly matter, doing so may actually be preferable to a non-reuse approach.
2. Changing passwords too often may harm security instead of improving it
The AARP recently recommended that people:
“Change critical passwords frequently, possibly every other week”
That’s outright absurd. Consider how many passwords people have that are “critical.” Most people have passwords to access their bank accounts, credit cards accounts, wireless accounts, Google and/or Apple accounts, etc. all of which can be classified as “critical.” Even with just five such accounts – and most people today likely have far more – changing passwords every two weeks would necessitate someone learning 130 new passwords a year! It’s not hard to imagine that such a scenario will lead to passwords being reused, modified only in part (e.g., the password after josephsteinberg1 becomes josephsteinberg2), or written down. Of course, following the AARP’s advice might also lead to people getting locked out of accounts after failed password attempts during which they enter old passwords – the frustration of which may ultimately cause them to abandon changing passwords altogether.
Passwords should be changed, but decide on the appropriate frequency for a particular system based on its sensitivity and importance.
3. Don’t “password panic” after reported breaches – and ignore the “experts” who “Cry Wolf”
Whenever there is a major data breach reported in the news, “experts” quoted all over the media advise people to change their passwords. This response to the news of a breach almost seems like a biological reflex – little thought is given, or analysis is performed, before a chorus of voices chimes in with the usual generic security recommendations. After reports surfaced several months ago that Russian hackers successfully stole 1.2billion passwords from various Internet sites, for example, The Federal Trade Commission advised Americans to “Change the passwords you use for sensitive sites like your bank and email account — really any site that has important financial or health information.” NBC ran an article titled “Billion Passwords Stolen: Change All of Yours, Now!” that quoted a security professional as saying “There are certainly some sites I’m going to go to today and change my password… The worst that will happen is that you’ve changed your password…That’s not a bad thing.”
This is outright bad advice.
As I wrote then, I am not convinced that the report of the 1.2 passwords being stolen was even accurate; no evidence seems to exist that it was. But, even if it was, not only was changing all of one’s passwords not necessary as a result of this particular story – and, for the record, I did not change even a single one of my own passwords in the aftermath of that report – it could actually increase a person’s risk. When people create many new passwords at one time they face serious limitations of human memory and are more likely than otherwise to write passwords down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured is also a bad idea), or use passwords identical to, or similar to, one another on multiple sensitive sites (bad idea).
Also, as I explained after the Heartbleed bug earlier this year when I suggested that people ignore the advice of “experts” who were recommending that everyone change his or her passwords en masse, if a vulnerability that allows systems to be compromised is publicized it is important not to change passwords on systems that may still be vulnerable. Once criminals know that there is a serious, widespread vulnerability they are certainly going to attempt to detect and exploit it. So, while evildoers may not have actually exploited the vulnerability in the past – and your password may still be secure – if after the vulnerability is publicized crooks do breach the system and you change your password they will likely obtain it. Considering that if criminals stole your old password by exploiting a particular vulnerability that still exists they can easily steal your new one, and that if your old one was not stolen changing it may lead to the new one being stolen, the risk of changing your password can outweigh the benefits.
At a high level, the problem is even larger. Creating a false sense of urgency without investigating the facts is irresponsible, and puts people at risk when there is a real sense of urgency. How seriously do you think the multitudes of people who have repeatedly ignored the warnings from the FTC, security “experts,” and the media about the need to change passwords, and who suffered no harm as a result of ignoring such warnings, will take a future warning when it is actually necessary? Repeated false alarms undermine security; the government, media, and experts should exercise much greater caution lest the industry be transformed into the “Boy Who Cried Wolf.”
- Page 1 / 2
- Continue