Many times online services ask you to change your password (Password) every two or three months to keep your account secure. It is actually a very controversial security measure, as many are those who consider it completely wrong.
Federal Trade Commission chief technologist Lorrie Cranor debunked the myth earlier this week.team, at a security conference in Las Vegas.
Technologist argued that services requiring periodic password changes could have opposite effects, making your code less secure. The reason is that when users are required to change their password, they end up using their old password with a little change.
A lowercase letter can be changed to a capital letter. Or an extra letter or character could be added towards the end. Researchers call these little tricks "transformations," and hackers are well aware of them.
Thus, the makers of password crackers can anticipate these transformations in the script them and the cracking routines.
"UNC researchers report that people who had to change their passwords every 90 days use a pattern and do what we call transformation," Cranor said, according to Ars Technica.
"They get their old passwords, change them somehow, and so they have a new password."
Cranor relied on a UNC survey by 2010 that checked data from 7700 accounts that needed to change their passwords regularly.
Security expert Bruce Schneier fully agrees.
"I have said for years that it is not good security advice to encourage bad passwords."
This does not mean that it is not a good idea to change your password. If your password was in the data of an important infringements, like that of LinkedIn, and you also use it on other pages-services, you should of course change it.
A large one (with lots of random letters (lower & uppercase) and numbers) is harder to break, as it reduces the chances of someone guessing it and adding it to a dictionary used by password crackers
