Normally we expect the tips provided by the FBI to be efficient, but a tweet published recently by them made many security researchers think what’s wrong with FBI ? and who is behind these posts.
Specifically, the FBI tweeted on November 25 a piece of advice that’s supposed to help people stay secure during the holiday shopping season when cybercriminals are also very busy trying to steal our information.
“Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently,” the FBI posted.
And while keeping accounts secure and using strong passwords are indeed good recommendations, it’s the last part that caused controversy. Changing passwords frequently has been often described as bad practice, especially because doing this repeatedly can eventually lead to users turning to easy-to-remember passwords that can be quickly compromised by hackers.
Furthermore, it’s been proved that corporations forcing their employees to change their passwords on a frequent basis are actually more exposed because of the same reasons: workers end up using simpler passwords that are easier to remember, and this can’t lead to anything good.
Security experts have questioned FBI’s tweets, and one of those who recommended exactly the opposite is Per Thorsheim, who founded his own password conference to discuss the importance of passwords.
In a statement for Motherboard, Thorsheim explained that changing passwords frequently is a thing that you shouldn’t do and there are other ways to remain secure online.
“I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea,” he said.
“While I don’t know who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI.”
So how exactly can you protect yourself online without actually changing passwords frequently? The easiest way to do this is to use a password manager that can help generate complex passwords that are difficult to compromise. Furthermore, make sure you enable two-factor authentication whenever it’s possible, and avoid using the same password for more than a service.
