Users Often Pick Weak Passwords When Forced to Change Them, but That Is a Huge Mistake!

Many still think that forcing the user to change passwords often is a good thing, but there are quite a lot of security specialists who believe asking the user to change passwords periodically might be more harmful than useful. For example, two years ago Lorrie Cranor, a US Federal Trade Commission's Chief Technologist, posted a blog post, in which she reviewed results of various researches providing facts that suggest there might a negative side to forced password changing. Still, the debate whether changing your passcode is useful goes on, and a lot of companies still require their users to change passwords from time to time. In this article, we will explain why organizations should encourage their users to do this only when there is a reason to suspect the account might have been compromised.

Why some think it is safer to change passwords periodically?

The logic behind it is rather simple: if cybercriminals manage to obtain the user's password, for example, during a data breach, making the user replace the old combination would prevent hackers from hijacking it. In other words, companies that ask their users to replace their passcodes from time to time see it not as an inconvenience, but as a necessary safety precaution. Unfortunately, as we will explain in the next paragraph, forcing the user to change password does not guarantee his account will be protected from unwanted intruders as this security measure works only under ideal circumstances.

Why forcing the user to change password might be a bad idea?

You might have heard it many times before that a strong password has to be random and should consist of at least eight characters. Ideally, the combination you think of should use both lowercase and uppercase letters, numbers, and even symbols. It might sound complicated, but, in reality, it is not so difficult. For example, users could pick a longer phrase they would remember and then replace some of its letters with numbers or symbols. On the other hand, if the same passcode is being reused by slightly replacing its characters, it can no longer be considered secure even if it matches all the requirements we listed before.

You might not see any trouble in having to remember a couple or a few complex passwords, but what happens when you need to come up with new strong combinations periodically and memorize them too? No doubt, it is entirely possible you might forget the newly replaced passcode, and while the account might be safe against cybercriminals, you would be unable to access it yourself. Knowing this, many computer security specialists agree that asking the user to change password might make the situation so inconvenient users may feel forced to forget all cyber security tips. What we have in mind is some users may start reusing old passwords either switching between two combinations or picking less complicated variations so it would be easier to remember the new passcode.

Such behavior was observed in a study called The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. It reviews results received from studying thousands of passwords gained from around 10 thousand university students and staff. The participants in the experiment were asked to replace their passwords every three months. What the researchers noticed is many of the participants simply replaced some of the characters in the old password to create a new one. Their next task was to attempt to crack these passwords. Surprisingly, they managed to guess passwords in less than five attempts for 17% of their studied accounts, while knowing the previous passcode.

Furthermore, another group of researchers explained that cybercriminals who obtain hashed passwords (random strings of characters derived from the attacked website) could apply offline cracking tools and test numerous combinations until they guess the password. Again, in this situation, changing the password with its slightly modified version would still not protect the account.

In conclusion, users forced to change password could pick up lousy password creating habits and consequently make it easier for hackers to hijack their accounts. Thus, trying to protect user accounts this way might do just the opposite.

What to do if you are forced to change your password?

Naturally, if you want to continue using the services where you are forced to change a password you have no other option but to comply. Nonetheless, with a dedicated password manager, you could create entirely new random passwords every time you are required to do so, and you would not even have to remember them.

For instance, Cyclonis Password Manager has a password generator that allows creating random passwords from letters, symbols, and numbers. The user can even choose the combinations length, which can be from 4 to 32 characters. Moreover, if you install the application's browser extension, it will ask you if you wish to save the password upon the first login and later on, you can look it up if you forget it. Also, the application has an auto-login feature that lets the user access his accounts without having to type any passwords or login names.

Another thing we should mention is Cyclonis Password Manager automatically asks and updates the password if the user changes it, so you do not have to worry about updating it manually. There is no need to worry about data safety either because the tool stores information in an encrypted vault created on the user's device or chosen cloud storage, which means the passwords you save will be kept safe. Lastly, one of the best parts is that Cyclonis Password Manager is free, and anyone can use it.