Now I Know: Why "It's Time to Change Your Password" May Be a Bad Idea

I had to do this at a former job and it drove me crazy -- so I'm glad to learn that it probably is a bad idea. -- Dan
 

Why "It's Time to Change Your Password" May Be a Bad Idea

In the fall of 2014, a North Korean-backed hacker group called the "Guardians of Peace" released a treasure trove of data stolen from Sony Pictures. The hack was designed to pressure the movie studio into not releasing a movie titled "The Interview," a comedy about a hypothetical plot to assassinate North Korean leader Kim Jong-un. The embarrassment from the hack was extensive -- at least one Sony executive lost her job over revelations from the emails that the hackers obtained, and Sony spent millions in over the subsequent months to address the fallout. 

And of course, the Sony hack wasn't the only cybersecurity then or since. According to a 2022 report by IBM, the average cost of a data breach in the United States is more than $9 million. and most companies -- 83% of those surveyed -- believe that some sort of data breach is a question when, not if. Suffice it to say that cybersecurity is a major concern for businesses small and large.

To protect against hacks, many companies require employees to change their passwords often -- some as frequently as every two weeks. It's common sense, right? If a bad guy gets your password, but you change it before he can use it, what he has is worthless, right?

Well -- probably not. In this case, conventional wisdom may be counterproductive.

In 2009-2010, researchers at the University of North Carolina dug into the question. The FTC summarizes their experiment:
The UNC researchers obtained the passwords to over 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every 3 months. For each account, the researchers were given a sequence of 4 to 15 of the user’s previous passwords – their total data set contained 51,141 passwords. The passwords themselves were scrambled using a mathematical function called a “hash.” 
In theory, that data should be useless -- old passwords, again, are not the users' current passwords. But we're creatures of habit, and even though our employers want us to use brand new passwords, we prefer to use memorable ones. Per the FTC's summary, the researchers "bserved that users tended to create passwords that followed predictable patterns, called 'transformations,' such as incrementing a number, changing a letter to a similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end)." 

And unfortunately for anyone looking to protect a network from malfeasors, those "transformations" gave the UNC researchers enough information to predict other possible passwords. Given multiple tries, the research team was able to guess the last-used password of 60% of the accounts. In other words, changing passwords often gives hackers a rather easy way in.

This isn't a surprise to the U.S. government, though. That FTC article is from 2016 -- seven years ago -- and concludes that "frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely." The National Institue of Standards and Technology (part of the U.S. Department of Commerce), per PC Mag, came to a similar conclusion in 2017: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise." So if you're asked to change your password for no reason, you may want to let your cybersecurity team know: they may be making the company less safe.


Now I Know is supported by readers like you. Please consider becoming a patron by supporting the project on Patreon. 

Click here to pledge your support. (If you do, in gratitude, you'll have an ad-free Now I Know experience going forward.)

Bonus fact: "The Interview" almost sparked a second Korean war. There's a South Korean-based human rights organization called "Fighters for a Free North Korea" that, as Wikipedia's editors summarize, "is known for periodically launching balloons carrying human rights and pro-democracy literature, DVDs, transistor radios and USB flash drives from South Korea into North Korea." To date, the organization has launched more than two million balloons, and of course, the North Korean government isn't a fan of their efforts. The organization announced that they planned to airdrop "The Interview" in December of 2014, but as ABC News Australia reports, they scrubbed the mission "following criticism from Seoul and dire warnings of military reprisals from Pyongyang." Specifically, North Korea warned that they would go to war to prevent the movie from entering its borders: "The North Korean military said it would respond to the activists' operation by shooting down any balloons using 'all the firepower strike means' of frontline border units" and would respond with even heavier fire if South Korea took military action to prevent the balloon shoot.

From the Archives: The Tractors that Turn Farmers into Hackers: I'm pretty sure recent litigation has made this totally legal, but I have to check.
Like today's Now I Know? Share it with a friend -- just forward this email along.
And if someone forwarded this to you, consider signing up! Just click here.
Share Share
Tweet Tweet
Forward Forward
Archives · Privacy Policy

Copyright © 2023 Now I Know LLC, All rights reserved.
You opted in, at http://NowIKnow.com via a contest, giveaway, or the like -- or you wouldn't get this email.

Now I Know is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. Some images above via Wikipedia.

Now I Know's mailing address is:
Now I Know LLC
P.O. Box 536
Mt. Kisco, NY 10549-9998

Add us to your address book


Want to change how you receive these emails?
You can update your email address or unsubscribe from this list

Email Marketing Powered by Mailchimp

Older messages

Now I Know: When History Forgot About Neil Armstrong

Wednesday, April 19, 2023

One small step for man, but a giant yawn from mankind? View this email in your browser · Missed one? Visit the Archives This is a re-run from 2016. Enjoy! -- Dan When History Forgot About Neil

Now I Know: The Possibilities Are Endless. Is That a Problem?

Wednesday, April 19, 2023

A weird question I had to answer this week View this email in your browser · Missed an issue? Click here! If you're new to Now I Know, you'll notice that today's format is different than

Now I Know: When the Frogs Attacked (Kind Of)

Wednesday, April 19, 2023

They croaked, but no one else did View this email in your browser · Missed one? Visit the Archives Hope you had a great weekend! -- Dan When the Frogs Attacked (Kind Of) In May of 1754, war broke out

Now I Know: The Birds Who Fly First Class

Wednesday, April 19, 2023

Snake-eaters on a Plane? View this email in your browser · Missed one? Visit the Archives Having one on my plane would scare the you-know-what out of me. -- Dan The Birds Who Fly First Class If you

Now I Know: This Restaurant Doesn't Exist

Tuesday, April 11, 2023

I ain't afraid of no ghost View this email in your browser · Missed one? Visit the Archives Maybe it's just the bread-free Passover talking, but that first sandwich looks really good. -- Dan

You Might Also Like

SEO is Not Dead: The Power of Free Tools

Friday, November 15, 2024

This AI startup went from 0 to 150K daily visits in 10 months ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

KU & Paperback • The Story Weaver  by Sally Zigmond • A colourful mix of beautifully crafted stories

Friday, November 15, 2024

Sally Zigmond brings an evocative literary voice to tales in The Story Weaver. ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ Welcome to

My Scurvy Mistake

Friday, November 15, 2024

I guess I didn't put 2 and 2 together? ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

🎤 The SWIPES Email (Friday, November 15th, 2024)

Friday, November 15, 2024

The SWIPES Email ​ Friday, November 15th, 2024 ​An educational (and fun) email by Copywriting Course. Enjoy! ​ 🎤 Listen to this email here: ​ ​ ​ Swipe: Did you know NetFlix actually has a ton of

Swing for This PR Technique

Friday, November 15, 2024

Ask to be a guest and expand your audience. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

🧙‍♂️ 3 reasons I wrote Sponsor Magnet

Friday, November 15, 2024

Musings on "legacy" ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

The Historic Connection Between TV Dinners and Diarrhea?

Friday, November 15, 2024

Sorry for the visual. ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌

Navigating Private Equity ownership. @ Irrational Exuberance

Friday, November 15, 2024

Hi folks, This is the weekly digest for my blog, Irrational Exuberance. Reach out with thoughts on Twitter at @lethain, or reply to this email. Posts from this week: - Navigating Private Equity

Black November - Double Discount💥

Friday, November 15, 2024

Limited offer inside - 14 months for $1199 ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

● Open Now: Cyber Monday Newsletter Book Promo for Authors ●

Friday, November 15, 2024

Book Your Spot Now in Our Holiday Email Newsletter ! ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ Book Your Spot in Our CyberMonday Email Newsletter Enable Images Reserve Your Spot in