FBI Tell Users to Change Passwords Frequently, Experts Say This Is Bad Advice

[Exterminator]

You’d normally expect the FBI to provide us with the most efficient security tips, but a tweet published recently by the Bureau made many security experts raise their eyebrows and wonder who is actually behind these posts.

Specifically, the FBI tweeted on November 25 an advice that’s supposed to help people stay secure during the holiday shopping season when cybercriminals are also very busy trying to steal our information.

“Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently,” the FBI posted.

And while keeping accounts secure and using strong passwords are indeed good recommendations, it’s the last part the one that caused controversy. Changing passwords frequently has been often described as bad practice, especially because doing this repeatedly can eventually lead to users turning to easy to remember passwords that can be quickly compromised by hackers.

Furthermore, it’s been proved that corporations forcing their employees to change their passwords on a frequent basis are actually more exposed because of the same reasons: workers end up using simpler passwords that are easier to remember, and this can’t lead to anything good.

Security experts: Nope

Security experts have questioned FBI’s tweets, and one of those who recommended exactly the opposite is Per Thorsheim, who founded his own password conference to discuss the importance of passwords.

In a statement for Motherboard, Thorsheim explained that changing passwords frequently is a thing that you shouldn’t do and there are other ways to remain secure online.

"I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea,” he said.

“While I don't know who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI."

So how exactly can you protect yourself online without actually changing passwords frequently? The easiest way to do this is to use a password manager that can help generate complex passwords that are difficult to compromise. Furthermore, make sure you enable two-factor authentication whenever it’s possible, and avoid using the same password for more than a service.

 

[SHvFl]

has been often described as bad practice, especially because doing this repeatedly can eventually lead to users turning to easy to remember passwords that can be quickly compromised by hackers.

Are the dudes at softpedia useless? Password managers never appeared at their planet?
And this experts are experts in what? Assuming things and not give proper advices or replying to random reporters that also know nothing?

Can't they just add use a password manager and support the ONE very good idea the FBI had for 2016?

 

[DardiM]

Do you change your passwords frequently
I voted "no"

- I choose very "obfuscated" passwords (longs with, lowercase & uppercase alpha, num, special chars...)
- I use a Password Manager

 

[Venustus]

I found "password" to be the safest and most secure
These are the Worst Passwords That You Still Keep Using

On a serious note, "Yes, I do change it frequently".

 

[Exterminator]

Although forced to for employment I am with @DardiM in that No I do not change them frequently.

 

[XIII]

I only change my passwords if I forget them. As long as you're secure on your base system and you're not logging into your accounts on an unsecure PC, I don't see how changing your password makes you any more secure. Obviously your password can't be something obvious, though. Do we trust the FBI or the experts?

 

[DardiM]

I only change my passwords if I forget them. As long as you're secure on your base system and you're not logging into your accounts on an unsecure PC, I don't see how changing your password makes you any more secure. Obviously your password can't be something obvious, though. Do we trust the FBI or the experts?

Maybe The FBI wants our account be less strong

 

[Oxygen]

The only time I change my passwords is when they aren't strong enough.

Otherwise I'll update them once a year.

 

[Dirk41]

Are the dudes at softpedia useless? Password managers never appeared at their planet?
And this experts are experts in what? Assuming things and not give proper advices or replying to random reporters that also know nothing?

Can't they just add use a password manager and support the ONE very good idea the FBI had for 2016?

Speaking in general, not everyone know pw manager as other security tools

I would know almost nothing if I was not here

 

[Fritz]

I usually set a very strong password and that's it. Don't feel like going through the trouble of switching things up regularly for every single login I use. Of course, that wouldn't be possible without a password manager really.

The thing is, that often corporate users aren't able to install just whatever software they want. Take the password manager out of the equation, add necessary changes in regular intervals and yes, you've just diminished your security.

We had that in the military, everybody had to change their password every month in order to access a friggin spare part catalogue we only needed once in a blue moon really. So in case we did remember to change the password, we just added the number of the month. After a few months people started to forget what number they used last, so in the end only one dork ended up having a password. When he managed to forget as well, we finally had IT issue new ones for everybody. Wash, rinse, repeat.

 

[Cohen]

No, I don't change my passwords frequently.
I change my passwords when I have a reason to such as hearing about a possible database breach or I'll change them once or twice a year depending on the website and if I remember to change them.

 

[motox781]

I only change my passwords if I forget them. As long as you're secure on your base system and you're not logging into your accounts on an unsecure PC, I don't see how changing your password makes you any more secure. Obviously your password can't be something obvious, though. Do we trust the FBI or the experts?

I agree with your statement, but I'll elaborate more.

I only change my passwords when I forget them or when an article states that the company was hacked and usernames/passwords were stolen.

To the FBI's defense, the only reason to change them often would be to circumvent 'unknown' hacks we don't know about OR unknown malware (keylogger, etc.).

There is no reason to change passwords (assuming they are secure). They don't gradually become less secure for some crazy reason (unless the database that holds them is unsecure...which seems to happen more and more everyday).

I use Lastpass. Lastpass is making it easier to change passwords on the fly by a click of a button. Great feature!

So to fix this password issue, the people that hold our passwords are the real solution (or a technology change away from text passwords entirely):

1. Company databases need to encrypt info.
2. Servers need to geo restrict logins (IP general location).
3. Use 2 factor authentication (I never liked 2 factor. Always felt like a band-aid).

Sort of in that order. I know some companies probably do this, some don't.

Maybe someone else can explain this to me: Why is it when you hear about big organizations getting hacked, hackers are able to retrieve usable username/passwords...etc. Organizations don't all encrypt this info?! Or do they and we just don't hear about that detail in the story?

I guess after reading this long rant, I realized that there is no REAL solution to any of this ATM There will always be ways to circumvent any type of authentication. We just have to limit the amount of breaches with new technologies that are easy to use for end users and effective in practice.

 

[soccer97]

When a company requires people to change their passwords to 15+ character (using the #,s symbols, capitals and proactively blocks PII and a few other things) - users will get tired and start making them easier. Then the company finally gets it and licenses a password manager due to all of the complaints to IT (I don't blame them). It does get old especially when Single-Sign on is not implemented. Password managers make a big difference - and thus the cost of them is increasing. Whoever created the idea and has the best one was a wise man, and is probably quite wealthy.

When I forget them, When I learn of a breach and certain other circumstances- but not once a month.

 

[Axelrod Sven]

I follow a system like -
If website has been hacked, change immediately.
If 2-Factor, change once a year.
If I'm allowed password of length 8-32 and/or limited choice of symbols, change very frequently.
Length 33-64, less frequently.

And hurray for Password Managers. One would expect the geeks to know about password managers. Or maybe to keep costs low, companies just don't want to buy them.