Why Required Password Changes Reduce Security

So I was listening to the Risky Business podcast this week and heard Adam Boileau mention something extremely juicy in passing during the news segment.

Patrick asked him about Microsoft removing password expiration in an upcoming version of Windows, and if he thought that was a good or bad thing. His response was super interesting.

They also mention later that there are exceptions where you definitely want to rotate them.

I’m certainly of the opinion that rotating passwords makes things actively worse. I have the data to assert that.

Adam Boileau, Risky Business Podcast #539

Patrick pushed further, and here’s how he expanded on it.

If you look at password changes over time there’s a direct correlation between the amount of entropy per password change and the number of times you change your password. The longer you’ve been at an organization the worse your password is because you’re forced to change it more often.

He went on to say that this is because, “you settle on a scheme.”

Patrick wanted him to write a report on this—which would be fantastic—but Adam said he’s too busy.

And 2FA of course.

But I thought it was a brilliant nugget, and too good not to capture.

Basically, empirical data showing that if you’re using super-strong passwords—that are unique—it’s markedly worse to force users to change them often because the organization will end up with weaker ones over time.

Good to know.

And I do hope Adam eventually writes that paper.

Notes

  1. This has always been intuitive to me, and I’m sure many others, that if you rely on the human they’ll build security that matches their limitations (in this case memory). This is why there’s been such a push for password managers. It was just so interesting to hear about actual data collected to support our intuition.

  2. Some might say we’ve not yet seen the data, so we can’t really come to any conclusions. My response is that you have to choose to trust if you want to expand your knowledge of the world beyond your own experience. And the Risky Business show, Patrick, and Adam are definitely on that list for me.

Related posts: