Research Says Forcing People To Change Their Passwords Is Bad

internet user logging in with password

iStockphoto

The U.S. National Institute of Standards and Technology (NIST) says decades of research now shows that forcing people to change their passwords periodically is actually detrimental to digital security.

Makes sense.

How many times in your life have you been forced to change a password only to forget what it was the next time you tried to login on a website or an app?

How many different passwords do you use, and therefore have to remember?

Do you find that sometimes it is easier to just risk it with a less complicated password just so you won’t forget it?

You are not alone.

“We observed the memory load and annoyance it caused from interviews and self-reported data over 20 years ago. People told us coping strategies that lead to weaker passwords,” Angela Sasse at University College London told New Scientist. “The mystery is why that established scientific knowledge and official advice has not managed to shift outdated advice from certain certifications, the minds of auditors and a big part of the security industry.”

People can’t remember the endless passwords and begin making bad decisions like simply appending incrementing numbers to simple words or phrases – “password1”, “password2” and so on.

NIST, who works with companies to govern how software and websites verify users, claims the new standard should be that companies “SHALL NOT require users to change passwords periodically.”

New Scientist also reports that as far back as a 2018 report by the United Kingdom’s National Cyber Security Centre (NCSC) stated, “Regular password changing harms rather than improves security. The user is likely to choose new passwords that are only minor variations of the old.”

As Alan Woodward at the University of Surrey, UK told New Scientist, “If you make security difficult to use, or awkward to use, or you put the onus on the user all the time, it slowly becomes less and less effective.”

He instead recommends using two-factor authentication such using as a password with another form of identification, such as when users receive a text message with a one-time code.

Share This Article