A month ago, a Rochester Technology Institude professor wanted to debate if users should be punished if they get get hacked. This professor wanted to raise more awareness regarding users’ computer routines and how them would affect their security. One of the most recommended routine which users thought would decrease their vulnerability is changing their passwords frequently. It turns out, an FTC (Federal Trade Commision) Chief Technologist doesn’t agree and in fact, advises against frequent password changing.
Lorrie Faith Cranor is a professor in Computer Science and Engineering & Public Policy at the Carnegie Mellon University. She took the position of Chief Technologist at the FTC in January 2016.
According to a 2010 study (credit to ArsTechnica), when it comes to people changing their passwords, they tend to follow a pattern which is not that safe for their accounts’ security. For example, if a user’s old password was “theNo#taker” the user would change their new password to “thenO#taker” and so on. “”They take their old passwords, they change it in some small way, and they come up with a new password.” says Lorrie.
Most users fear they’ll forget their passwords across all of their accounts. This fear though, can take them to express a some sort of negligence towards their security, making them prone to choose an easier way of remembering these passwords: a pattern.
But, we do know there are alternatives such as LastPass. But, guess what? In June 2015, the password manager LastPass had a security breach too – it is worth mentioning that users’ passwords haven’t been exposed.
But, even with tools like password managers, most of the computer users around the world don’t use this type of tools because of different reasons – one of the most popular of them would be that even corporate or government networks don’t make this type of tools available to their employees.
While an IT professor wants to debate if users should be punished for being hacked, another IT professor stating that frequent password changing might not be such a good idea due to predictible human behavior, big time networks lack password managers for their computer users, it really leaves the user out in the open.