Why frequent password changes only harm security

2024 Author: Malcolm Clapton | [email protected]. Last modified: 2023-12-17 03:44

Frequent password change is called one of the most effective ways to protect information. However, not everything is as straightforward as they say. Why - read our article.

You have most likely received an email notification at least once in which you were advised to change your password. As a rule, such letters come from postal services and administrators of corporate networks once every six months. And here a choice arises: follow the advice of those "who know best" and change the password, or ignore the requirement and leave everything as it is. The British intelligence services, whose duties include electronic intelligence and information protection of the army, speak in favor of the second.

On May 7, on the occasion of International Password Day, representatives from one of the units of the Government Communications Headquarters (GCHQ) issued a clarification why you should not change your password too often.

Usually security policy obliges us to use only complex passwords, which are difficult to guess and, accordingly, to remember. Passwords should be as long as possible and as random as possible. We are quite capable of managing a pair of such passwords, however, when the score goes to dozens, the situation becomes uncontrollable.

Communications Electronics Security Group CESG

The situation is aggravated by the fact that we are not allowed to continue to use the old password, even if it meets the highest security requirements. In this case, a person does not philosophize slyly and does not act in the most prudent way:

1. Creates a new password, slightly modifying the old one. Attackers can exploit this gap. If they already knew the previous password, then, most likely, it will not be difficult for them to find a new one. Moreover, users often forget the new password themselves, and this entails inconvenience, loss of time and productivity.
2. Weakens the old combination. People deliberately simplify their new passwords in order to properly package them in their minds. Upper case, special characters and numbers fall under the knife. Of course, the user only loses from this.
3. Writes down his new password on paper and leaves it almost freely available. Obviously, this behavior completely kills the whole point of the procedure.

“This is a paradox: the more often we are forced to change passwords, the more vulnerable we are. At first glance, it seems perfectly reasonable to change passwords as often as possible, but practice shows that this is not the case,”security experts conclude.

Of course, after reading what you read, you should not neglect all requests to change your password. For example, you can't ignore major data breaches like the one that happened in 2013 with Adobe accounts. In such cases, you will have to come up with a new password and, possibly, compose it from emoji: they say that this is even safer.

In the comments to the original article, one of the readers expressed the opinion that government services are deliberately letting such ducks in order to lull the vigilance of the masses. The calculation is simple: already hacked accounts will not have to be reopened (industrial scale, after all). Someone supported this idea, but someone advised the alarmist to take a pill from the universal conspiracy.

What do you think, is it worth changing your password if it is secure and there are no signs of unauthorized access to your account?