We live in an era where increasingly sophisticated cybercriminals are regularly on the prowl for network vulnerabilities.
So how can business respond to their slick phishing emails and social engineering ruses?
One school of thought within cybersecurity circles argues for an aggressive stance, urging companies to force their employees to regularly change their passwords. They argue that letting passwords go stale only raises the odds that hackers, given more opportunity to guess the right combination, will eventually hit pay dirt.
The only downside, they say, is that some employees might find it harder to remember their new logon sequence — a small price to pay if it fosters greater security.
But what if that inadvertently increases the risk of long-term password exploitation?
FTC Chief Technologist—and Carnegie Mellon computer science professor—Lorrie Cranor, argued recently that it’s time to rethink mandatory password changes. She noted that when organizations force employees to frequently change their passwords, people “tended to create passwords that followed predictable patterns.”
She’s hardly a lone voice. Carleton University researchers similarly found proof, pointing out that frequent password changes, at best, slow up attackers only slightly - and probably not enough to offset the inconvenience to users. What’s more, in a separate study Carleton found that in some cases, attackers installed spy software so that changing a password would have zero benefit.
Britain’s information security organization, Communications-Electronics Security Group, now believes that the conventional wisdom about changing passwords is wrong. In fact, it says that the more often users are forced to change passwords, the more vulnerable their organization is to attack.
This all sounds counterintuitive. But as much as organizations urge employees to use passwords that are as long and random as possible, the reality is that people like to take the easy way out. Many choose weaker passwords so they can remember them. However, if the new password isn’t going to be much different and stronger than the old one, it remains just as vulnerable as the predecessor. In some cases, it may even be more prone to hack; when attackers have successfully compromised the old password, they can then use that to help work out the new password.
Another negative: Forcing frequent password changes will lead some employees to write down the new passwords on paper, thus creating a potential security risk in the event that the information ever falls into the wrong hands.
Back to basics
Smart password policy should preach the basics: When employees create passwords, they ought to choose strong letter-number-symbol combinations that are at least eight characters long while turning on multi-factor authentication. And if attackers ever compromise the organization’s networks, changing password information obviously is appropriate.
In the end, however, the onus falls on the backend systems. It’s up to the organization to equip administrators with tools to monitor the network for anomalies, which might suggest someone has attempted to access a legitimate user account. With a window into the system, security monitors can discern the last time that users logged in to determine whether they are responsible for failed attempts at logging in.
Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.