It doesn’t matter what your background is, or where you went to school, or what kind of jobs you had before you went out as a solosmall attorney. At some point, you were chained to some program or some institution that demanded you change your password every 30 or 60 or 90 days. Given that there’s no way to ignore such an edict, everyone dutifully changes their password.

The problem with this is that there are typically only a finite number of ways people will remember password after password when you have to come up with a half-dozen a year (and this gets much worse if you use multiple services that require frequent password changes).

If people do not use a password manager to generate new strong passwords—which may not even be an option if you are working somewhere that doesn’t allow you to run your own software—then the chances are high that passwords just get reused with minor variations.

[T]he [University of North Carolina] researchers identified common techniques account holders used when they were required to change passwords. A password like “tarheels#1”, for instance (excluding the quotation marks) frequently became “tArheels#1” after the first change, “taRheels#1” on the second change and so on. […]

“The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” [FTC Chief Technologist Lorrie] Cranor explained. “They take their old passwords, they change it in some small way, and they come up with a new password.”

Once the UNC researchers had access to all of these transformations and were able to spot certain patterns, they figured out how to write algorithms that would predict the changes people make to their passwords. The algorithms were pretty on point.

In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.

At root, this is just more evidence that passwords are ultimately only as good as the password hygiene of the end user. If you are stuck in a situation where you have to change passwords frequently and can’t use a password manager to track each password, use a service such as Identity Safe to generate a strong new password each time. (You could also pay this awesome 12-year-old to roll dice for you to create secure passwords, which is a password method that is actually quite secure.) If you’ve been changing your passwords on a regular rotation but only modifying them slightly each time, knock it off. You’re just making things worse.

  • I couldn’t agree more. When will law firms realize that requiring frequent password changes is a detriment to security? We should all have access to encrypted password management programs!

    • Paul Spitz

      Or just go to biometric identification – retinal scans or DNA swabs – you just spit on your computer and it identifies you.

      • And when someone gets ahold of your fingerprint or DNA (neither of which is all that hard if someone wants it), how will you change your password?

        • Paul Spitz

          The circle of people with access to my eyeball, or fingertips, or saliva is a lot smaller than the universe of hackers trying to steal my password. That makes it a lot more personal than your typical hack – someone will need to be hacking you, and only you, deliberately. And therefore, it will be easier to find that person when it happens.

          • Yeah but once your DNA is compromised you can’t get it back.

            As others have pointed out, biometrics are fine as usernames, but they make terrible passwords.