Paula Luckhoff1 October 2024 | 14:28

Password fatigue: Requiring people to change passwords is a bad idea - security expert

The conventional wisdom of needing to change passwords regularly is being turned on its head.

Password fatigue: Requiring people to change passwords is a bad idea - security expert

Photo: Pexels/Sora Shimazaki (cropped)

Mike Wills interviews Professor Steven Murdoch, head of the Information Security Research Group  at University College London.

Are you suffering password 'fatigue'?  It seems we're constantly under pressure to create passwords for new sites, or change those we already have for existing sites.

Conventional wisdom dictated that we change our passwords regularly, and complicate them with characters like symbols.

This view is changing, and in the US, the government agency concerned is now drafting new password verifier standards that could reverse decades of bad practice.

In the UK, National Institute of Standards and Technology (NCSC) has advised against forced password changes since at least 2015, reports Forbes..

'The NCSC describes it as being a counter-intuitive security scenario. The more that users are forced to change a password, the greater the risk that it can be successfully cracked."

Mike Wills gets comment from Professor Steven Murdoch, head of the Information Security Research Group at University College London (UCL).

The US directive is a welcome move, Prof. Murdoch says.

"We've known in the security research field for decades, that requiring people to change passwords is a bad idea. I'm pleased to see that finally regulation is starting to catch up."
"The guidance is saying that there should be more flexibility - so,  symbols are fine if you want to use those, but if you instead want to use a longer password then that's also perfectly fine."
Prof. Steven Murdoch, Head: Information Security Research Group - University College London

According to Murdoch, what is really underlying this advice is to encourage people to use password managers.

These tools will deal with the complexity and allow you to use long secure passwords, while not having to remember them yourself, he says.

"Password managers are sometimes software you can download or are often built into web browsers, and they create a password for every website that you visit and then remember all those passwords."
"That means you can unlock your phone with your face or your fingerprint, and it will automatically type in the password into each of these websites...There's more modern versions now called passkeys, which make the security even better."
Prof. Steven Murdoch, Head: Information Security Research Group - University College London

Professor Murdoch says the advice to change passwords regularly was advice that made sense for very early computer systems in the 70s and 80s, but no longer does.

The reason it stuck is that there was reluctance to change it until a government or regulator took action, he adds.

For more detail, listen to the interview audio at the top of the article