- It's easy to install malware on a machine, so the new password will be sniffed just like the old.
- It costs more: frequent password changes result in more forgotten passwords and support desk calls.
- It irritates users, who will then feel less motivated to implement to other security measures.
- Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...
They focus especially on the idea that consecutive passwords will be related, and build a system which could try a variety of transforms such as changing which letter was uppercase, duplicating letters/numbers/symbols, and even "leet" translation (eg: raven becomes r@v3n). The implications of their results are fairly clear and potentially disturbing for those who thought password changing was providing extra security in the case of a breach:
- With offline attacks: "On average, roughly 41% of passwords can be broken from an old password in under 3 seconds."
- With online attacks: "An average of 13% of accounts can be broken (with cer- tainty) in 5 online guesses, and 18% can be broken in 10 guesses."
- "As we expand our consideration to other types of transform trees, we would not be surprised to see these success rates jump significantly."