Hacking

Why Required Password Changes Reduce Security

So I was listening to the Risky Business podcast this week and heard Adam Boileau mention something extremely juicy in passing during the news segment.

Patrick asked him about Microsoft removing password expiration in an upcoming version of Windows, and if he thought that was a good or bad thing. His response was super interesting.

They also mention later that there are exceptions where you definitely want to rotate them.

I’m certainly of the opinion that rotating passwords makes things actively worse. I have the data to assert that.

Adam Boileau, Risky Business Podcast #539

Patrick pushed further, and here’s how he expanded on it.

If you look at password changes over time there’s a direct correlation between the amount of entropy per password change and the number of times you change your password. The longer you’ve been at an organization the worse your password is because you’re forced to change it more often.

He went on to say that this is because, “you settle on a scheme.”

Patrick wanted him to write a report on this—which would be fantastic—but Adam said he’s too busy.

And 2FA of course.

But I thought it was a brilliant nugget, and too good not to capture.

Basically, empirical data showing that if you’re using super-strong passwords—that are unique—it’s markedly worse to force users to change them often because the organization will end up with weaker ones over time.

Good to know.

And I do hope Adam eventually writes that paper.

Notes

  1. This has always been intuitive to me, and I’m sure many others, that if you rely on the human they’ll build security that matches their limitations (in this case memory). This is why there’s been such a push for password managers. It was just so interesting to hear about actual data collected to support our intuition.
  2. Some might say we’ve not yet seen the data, so we can’t really come to any conclusions. My response is that you have to choose to trust if you want to expand your knowledge of the world beyond your own experience. And the Risky Business show, Patrick, and Adam are definitely on that list for me.


Become a direct supporter of my content for less than a latte a month ($ 50/year) and get the Unsupervised Learning podcast and newsletter every week instead of just twice a month, plus access to the member portal that includes all member content.

Daniel Miessler

Are you looking for products for hacking, cybersecurity, and penetration testing? Do you need to cleanse your smartphone, PC, or website from viruses and malware? Do you need to track down a person or recover urgent information? Do you need to regain control of an account, email, or password that has been stolen from you? Interested in purchasing pre-configured devices to easily and quickly experiment with hacking techniques? Do you have specific requirements in software or hardware? We can assist you!

Contact us immediately for immediate assistance: provide us with details via email or WhatsApp about the type of support you need, and we will respond you promptly!

Fill out and submit the form below to send us an immediate support request

Write your email address here

Write here how we can help you - we provide immediate support for all your needs!

chevron_left
chevron_right
Send us a WhatsApp!