BLOG: Changing Passwords Frequently Ineffective Against Cyberattacks

BLOG: Changing Passwords Frequently Ineffective Against Cyberattacks
Changing computer passwords frequently may be ineffective and do more harm in preventing cyberattacks.

With so many things on my mind these days, I hate having to remember all the passwords I have. Not only do I have to remember passwords for my work computer and home computer, but a myriad of other accounts ranging from my bank, credit cards and public library accounts. Having to change passwords every 60 days on my work computer is a particular pain. Not only do I have to remember a new password, but I frequently have to change the password when I’m in the middle of something and don’t want to be bothered.

Karen Boman
Karen Boman, Senior Editor, Rigzone
Senior Editor, Rigzone

The conventional wisdom has been that computer passwords need to be long, complex and changed frequently. This practice has been required to protect work computers to maintain security against cyberattacks.

However, this practice is ineffective, said Stuart Wagner, director if IT Security & compliance with Enterprise Products, at the American Petroleum Institute’s Oil & Gas Cybersecurity Conference last week in Houston. Wagner not only believes that the requirement for character composition in passwords should be nixed, but the frequency at which passwords are changed.

Wagner is not alone in this belief. He pointed to research conducted by the University of North Carolina and Carlton University that supports the idea. Even Microsoft has changed their advice on the subject, Wagner noted.

In March of this year, the U.S. Federal Trade Commission’s chief technologist, Lorrie Cranor, said the practice of changing passwords frequently may be less beneficial than previously thought. In May, the National Institute for Standards and Technology (NIST) recommended more user-friendly password policies by encouraging the use of long passphrases and eliminating “composition” rules, which create a false impression that passwords are strong. NIST also recommends companies use dictionaries to vet passwords, avoid using password hints and knowledge-based authentication, and require passwords of at least eight characters and a maximum of no less than 64 characters.

Having to change passwords frequently is hard on the user, Wagner said. To cope with the 60-day password change cycle, workers end up creating passwords they can easily remember. For example, they may only change a number of character of their previous password. But easily guessed passwords make it easier for hackers to harvest passwords via phishing or keylogging, and gain access to a company’s network.

“Every time we try and contain the user, they’ll find a way around it,” said Wagner. This not only includes easily guessed passwords, but workers writing their password on a sticky note and leaving it on their computer. If users only have to remember one password, they are more likely to come up with a better password. Forcing regular password changes may only be pushing the risk to another part of a company’s operation.

Instead of relying on only a password, companies should use more than one authentication method, and only when workers are logging into a system with sensitive data, Wagner stated.

Wagner in his presentation also challenged conventional thinking on cybersecurity in other areas. For example, conventional thinking on cybersecurity is that every second matters. But that may not be the case. An average time from breach to discovery of breach to 200 days offers a number of opportunities to thwart a cyberattacker.

The attacker is not just going to conduct a smash, grab and leave operation; they have to figure out what they want and move through a network. The more sophisticated hackers are professionals that work on a schedule. They most likely will work an eight-hour shift and work it as a job, Wagner explained.

“The wrong thing is to rush and take action without understanding the full picture of what is going on and possibly doing more damage,” Wagner stated.

Moving too quickly can also alert an attacker you may be on to them. Taking a step back and not only determining which systems are impacted, but understanding attacker behavior, can help companies deal with a cyberattack more effectively.

Preserving all the data is another conventional method of gathering evidence to go after a cyberattacker. But copying all the data takes a lot of time and may be ineffective. This process may also require systems to be taken out of production, bringing a business to a halt. Instead, companies should focus on the most important data. They also need to take a risk-based approach to patching problem areas in a network, giving attention first to systems with sensitive data. While great in concept, patches can break business processes. It also keeps administrative teams so busy patching they can’t keep up with their regular work, Wagner explained.

I agree with Wagner. With cybersecurity threats constantly evolving, the defense strategies that worked in the past may be ineffective in the future. We need to constantly challenge the status quo – the hackers certainly will. And it would be nice to not have to change my password so often!


Generated by readers, the comments included herein do not reflect the views and opinions of Rigzone. All comments are subject to editorial review. Off-topic, inappropriate or insulting comments will be removed.