The FBI Is Wrongly Telling People To Change Passwords 'Frequently'
It seems like everyone these days is a little bit paranoid about getting hacked. That's good! While there's no need to be paranoid, it's good to be aware of the risks and take easy, reasonable, and common-sense precautions.
As more people are worried about their online accounts, however, there's also been an influx of awful advice on how to stay secure on the internet. Today, we'd like to indict the Federal Bureau of Investigation for terrible security advice.
"Shopping online this holiday season?" the FBI's wrote on its official Twitter account on Friday. "Keep your accounts secure, use strong passwords & change them frequently."
As countless experts in cybersecurity and password practices—and even the British spy agency GCHQ—have said many times, changing passwords frequently for the hell of it, or even worse, forcing users to change passwords frequently as a company policy, is just a terrible idea.
When someone does that, or is forced to do that, he or she usually ends up creating bad, easy to guess passwords, completely defeating the purpose.
Read more: The Motherboard Guide to Not Getting Hacked
"I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea," Per Thorsheim, the founder of the first-ever conference dedicated to passwords, told Motherboard in an online chat. "While I don't who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI."
A far better advice would be to tell people to use password managers, so that they can have unique, strong passwords for each and every one of their accounts. And also encourage the use of two-factor authentication, adding another layer of security to their accounts so that even if someone steals or guesses their passwords, they can't get in.
Given that the FBI is great at hacking people, they should probably know better.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.