Lorrie Cranor, chief technologist at the US Federal Trade Commission, recently made news by warning that frequent password changes may actually reduce security.

This does not mean that you should stop changing your passwords. Cranor is actually referring to the enforced password change policy in place at many organizations. When users are forced to change their passwords at regular intervals (eg. every 60 days), they tend to use patterns, like incrementing a number at the end of a password.

Related research shows that once common patterns are allowed for, password cracking success rates increase markedly. You can be sure that the people writing password cracking software know about this as well.

When you change your passwords (whether enforced or not), don’t use a simple variation of the previous password. Instead, think of an entirely new one, or use one of the many excellent password database programs and services to generate one.