advancedenglish_ice吧 关注:126贴子:2,997
  • 9回复贴,共1

Why changing password regularly may do more harm than good

只看楼主收藏回复

By Andrea Peterson March 2
Most office drones have had to deal with a job that requires them to keep changing their passwords like clockwork, maybe every six months or so. The longstanding IT security practice is based on the idea that flushing out old passwords will cut off access for bad guys who may have figured them out.
But according to the Federal Trade Commission's chief technologist, Lorrie Cranor, the strategy has some major holes.
"Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases," Cranor wrote Wednesday in a blog post entitled "Time to rethink mandatory password changes."
That's because forcing people to keep changing their passwords can result in workers coming up with, well, bad passwords.
That point is supported by research Cranor conducted at Carnegie Mellon University. It found that users who felt the institution's password policy was annoying came up with passwords that were 46 percent more likely to be guessed than those who supported frequent password changes.
Other research suggests that such password changes may not actually help keep bad guys out for long.
Although password expiration can help reduce the fallout "of some password compromises,"a 2009 publication from the National Institute of Standards and Technology explained, it's also "a source of frustration to users."
And because those users are "are often required to create and remember new passwords every few months for dozens of accounts," they "tend to choose weak passwords and use the same few passwords for many accounts," according to NIST.
In a 2010 study cited by Cranor, researchers at the University of North Carolina at Chapel Hill looked at a data set of thousands of old passwords belonging to former students, faculty and staff at the university who had to change their password every three months.
They found that users often followed patterns that linked old passwords to new passwords -- such as swapping the order of meaningful numbers and letters, replacing a letter with a common number or symbol substitute (think changing an E into a 3), or adding or removing special characters like exclamation marks.
Using a tool they designed to predict those type of changes, the researchers could predict how users would change their passwords for 41 percent of the accounts in less than three seconds using a relatively low-powered computer. The researchers also determined passwords for 17 percent of the accounts in fewer than five guesses.
Another 2013 study, by researchers at Carleton University, also noted that in some cases, an attacker installed software that spies on users as they type. So changing a password in this scenario has no benefit. The attacker will just be able to scoop up the new password the next time they log in.
None of this means changing passwords is always a bad idea. Cranor notes a number of reasons why mixing it up could be a good thing -- if you think your password has been stolen, if you're reusing passwords across different services, or even if your password is just plain weak.
But despite the conventional wisdom, it's not clear that forcing users to change passwords on a regular basis actually makes sense for all workplaces.
A better idea may be for employers to explore log-in options that go beyond basic passwords -- such as biometrics or two-factor methods that require users to also prove who they are by plugging unique codes sent via text for each log-in.
"In the longer term, we believe our study supports the conclusion that simple password-based authentication should be abandoned outright," the UNC researchers wrote.


1楼2016-03-05 16:55回复
    原文链接:https://www.washingtonpost.com/news/the-switch/wp/2016/03/02/the-case-against-the-most-annoying-security-measure-virtually-every-workplace-uses/?postshare=7481457019956338&tid=ss_mail
    如果不知道怎么评论,请点击原文,页面下方有外国人的评论,方便学习。


    2楼2016-03-05 16:58
    回复
      2026-07-05 10:28:24
      广告
      不感兴趣
      开通SVIP免广告
      Well,my account never been stolen,I can say i am lucky boy. It's interesting and easy news as well as long!


      IP属地:宁夏来自iPhone客户端4楼2016-03-05 22:46
      收起回复
        I had experiences of forgetting my own passwords when I was required to create passwords combining numbers, letters (sometimes capitalized letter), underscore characters, etc.


        5楼2016-03-06 09:22
        回复
          0204140307:I want to say,no matter how easy my accounts are,no one is willing to steal them,maybe it's because my accounts are worthless in others' eyes.


          IP属地:湖南来自手机贴吧6楼2016-03-06 16:43
          收起回复
            0308140116:Now,there is many password saver softwares on internet such as KeePass and LastPass.They can help you save the passward and are very safe.You can inquire password by phone or computer.


            IP属地:湖北7楼2016-03-06 20:32
            收起回复