FBI Tell Users to Change Passwords Frequently, Experts Say This Is Bad Advice

FBI takes to Twitter to post security tips
You’d normally expect the FBI to provide us with the most efficient security tips, but a tweet published recently by the Bureau made many security experts raise their eyebrows and wonder who is actually behind these posts.

Specifically, the FBI tweeted on November 25 an advice that’s supposed to help people stay secure during the holiday shopping season when cybercriminals are also very busy trying to steal our information.

“Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently,” the FBI posted.

And while keeping accounts secure and using strong passwords are indeed good recommendations, it’s the last part the one that caused controversy. Changing passwords frequently has been often described as bad practice, especially because doing this repeatedly can eventually lead to users turning to easy to remember passwords that can be quickly compromised by hackers.

Furthermore, it’s been proved that corporations forcing their employees to change their passwords on a frequent basis are actually more exposed because of the same reasons: workers end up using simpler passwords that are easier to remember, and this can’t lead to anything good.

Security experts: Nope

Security experts have questioned FBI’s tweets, and one of those who recommended exactly the opposite is Per Thorsheim, who founded his own password conference to discuss the importance of passwords.

In a statement for Motherboard, Thorsheim explained that changing passwords frequently is a thing that you shouldn’t do and there are other ways to remain secure online.
"I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea,” he said.
“While I don't know who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI."

So how exactly can you protect yourself online without actually changing passwords frequently? The easiest way to do this is to use a password manager that can help generate complex passwords that are difficult to compromise. Furthermore, make sure you enable two-factor authentication whenever it’s possible, and avoid using the same password for more than a service.