Study: Permanent change of passwords is a waste of time

The last IT managers and their data and identity security topics were always a challenge for me to find another password instead of ‘iloveyou’ or a mixture of birthday numbers. The question is: Is this permanent change of passwords really as effective as possible and in favor of our security? One thing is for sure, if users have a password manager, they just need to remember one powerful super password.

The Microsoft researcher Cormac Herley now found out that the hype around passwords can be doubted. Herley states that users who ignore security advice are acting rational – and not lazy or stupid. Nevertheless, the study concludes changing passwords constantly is a giant waste of time and money. Plus: It makes the users no safer from identity thieves.

Herley resumes that a task requiring one minute per day from every working adult in the U.S. costs about $15.9 billion per year. Unnecessary security advice “treats as free a resource that is actually worth $2.6 billion an hour.” Does that make sense from a ROI perspective?

The strategy of thieves is not to go for dictionary attacks. These won’t break security. Giving away security credentials through phishing or keylogging is the most effective way. The main issue of the paper is the common requirement that users have to change passwords at specified intervals. Hacker that steal your password will be using it straight away – waiting is nt his tactic.

“Insisting that users choose a unique strong password for each (account) which they change often and never write down is clearly a large burden.”

Spot On!
How do you see this study? Is the mega password with the password manager he best option for security?