A separate study from researchers at Carleton University provided a mathematical demonstration that frequent password changes hamper attackers only minimally and probably not enough to offset the inconvenience to end users.Via: ARS Technica
Over the past few years, organizations including the National Institute of Standards and Technology in the US and UK government agency CESG have also concluded that mandated password changes are often ineffective or counterproductive. And now, thanks to Cranor, the FTC has also come around to this thinking. But don't count on everyone doing away with regular password changes.
Frequent password changes may make security worse
Posted on Thursday, August 04 2016 @ 18:35 CEST by Thomas De Maesschalck
One of the thing I dislike online are websites that force you to change your password at regular intervals. This supposedly strengthens security but now FTC chief technologist Lorrie Cranor claims a growing number of security experts believe frequent password changes do little to improve security and very possibly make it worse by encouraging users to use passwords that are more susceptible to cracking: