View this email in your browser · Missed one? Visit the Archives

I had to do this at a former job and it drove me crazy -- so I'm glad to learn that it probably is a bad idea. -- Dan

Why "It's Time to Change Your Password" May Be a Bad Idea

In the fall of 2014, a North Korean-backed hacker group called the "Guardians of Peace" released a treasure trove of data stolen from Sony Pictures. The hack was designed to pressure the movie studio into not releasing a movie titled "The Interview," a comedy about a hypothetical plot to assassinate North Korean leader Kim Jong-un. The embarrassment from the hack was extensive -- at least one Sony executive lost her job over revelations from the emails that the hackers obtained, and Sony spent millions in over the subsequent months to address the fallout.

And of course, the Sony hack wasn't the only cybersecurity then or since. According to a 2022 report by IBM, the average cost of a data breach in the United States is more than $9 million. and most companies -- 83% of those surveyed -- believe that some sort of data breach is a question when, not if. Suffice it to say that cybersecurity is a major concern for businesses small and large.

To protect against hacks, many companies require employees to change their passwords often -- some as frequently as every two weeks. It's common sense, right? If a bad guy gets your password, but you change it before he can use it, what he has is worthless, right?

Well -- probably not. In this case, conventional wisdom may be counterproductive.

In 2009-2010, researchers at the University of North Carolina dug into the question. The FTC summarizes their experiment:

The UNC researchers obtained the passwords to over 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every 3 months. For each account, the researchers were given a sequence of 4 to 15 of the user’s previous passwords – their total data set contained 51,141 passwords. The passwords themselves were scrambled using a mathematical function called a “hash.”

In theory, that data should be useless -- old passwords, again, are not the users' current passwords. But we're creatures of habit, and even though our employers want us to use brand new passwords, we prefer to use memorable ones. Per the FTC's summary, the researchers "bserved that users tended to create passwords that followed predictable patterns, called 'transformations,' such as incrementing a number, changing a letter to a similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end)."

And unfortunately for anyone looking to protect a network from malfeasors, those "transformations" gave the UNC researchers enough information to predict other possible passwords. Given multiple tries, the research team was able to guess the last-used password of 60% of the accounts. In other words, changing passwords often gives hackers a rather easy way in.

This isn't a surprise to the U.S. government, though. That FTC article is from 2016 -- seven years ago -- and concludes that "frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely." The National Institue of Standards and Technology (part of the U.S. Department of Commerce), per PC Mag, came to a similar conclusion in 2017: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise." So if you're asked to change your password for no reason, you may want to let your cybersecurity team know: they may be making the company less safe.

Now I Know is supported by readers like you. Please consider becoming a patron by supporting the project on Patreon.

Click here to pledge your support. (If you do, in gratitude, you'll have an ad-free Now I Know experience going forward.)

Bonus fact: "The Interview" almost sparked a second Korean war. There's a South Korean-based human rights organization called "Fighters for a Free North Korea" that, as Wikipedia's editors summarize, "is known for periodically launching balloons carrying human rights and pro-democracy literature, DVDs, transistor radios and USB flash drives from South Korea into North Korea." To date, the organization has launched more than two million balloons, and of course, the North Korean government isn't a fan of their efforts. The organization announced that they planned to airdrop "The Interview" in December of 2014, but as ABC News Australia reports, they scrubbed the mission "following criticism from Seoul and dire warnings of military reprisals from Pyongyang." Specifically, North Korea warned that they would go to war to prevent the movie from entering its borders: "The North Korean military said it would respond to the activists' operation by shooting down any balloons using 'all the firepower strike means' of frontline border units" and would respond with even heavier fire if South Korea took military action to prevent the balloon shoot.

From the Archives: The Tractors that Turn Farmers into Hackers: I'm pretty sure recent litigation has made this totally legal, but I have to check.

Like today's Now I Know? Share it with a friend -- just forward this email along.

And if someone forwarded this to you, consider signing up! Just click here.

Share

Forward

Archives · Privacy Policy

Copyright © 2023 Now I Know LLC, All rights reserved.
You opted in, at http://NowIKnow.com via a contest, giveaway, or the like -- or you wouldn't get this email.

Now I Know is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. Some images above via Wikipedia.

Now I Know's mailing address is:

Now I Know LLC

P.O. Box 536

Mt. Kisco, NY 10549-9998

Add us to your address book

Want to change how you receive these emails?
You can update your email address or unsubscribe from this list

North Koreanbacked hacker group North Korean leader three exclamation points one Sony executive total data set brand new passwords former university students The UNC researchers users current passwords

Now I Know: Why "It's Time to Change Your Password" May Be a Bad Idea

Why "It's Time to Change Your Password" May Be a Bad Idea

Key phrases

Older messages

Now I Know: When History Forgot About Neil Armstrong

Now I Know: The Possibilities Are Endless. Is That a Problem?

Now I Know: When the Frogs Attacked (Kind Of)

Now I Know: The Birds Who Fly First Class

Now I Know: This Restaurant Doesn't Exist

You Might Also Like

👷‍♂️ He scaled a business with 4-ton metal boxes

3-2-1: Simple ways to be at peace, the source of reputation, and finding unfair advantages

Ahrefs’ Digest #181: Why big companies make bad content, and more

When It's Better Not to Share Where Things are Made

Can't make CEX? Get the Digital Pass

Jimmy Doom - Interview series vol. 18 | #114

Are we having an “intimacy crisis?”

🧙‍♂️ NEW Partnerships: Stone Blade Games, LifeStraw, United Tax, Jimmy Dean, and many more [May 2]

Easy Reading Is Hard Writing

Audiobook Promos 🔊 Tweets & FB Group posts • 60-Day orders save 15% +