Why Password Change Requirements are Bad
Is your password policy to change passwords every so often? 90 days? According to NIST, the FTC, Microsoft, and other leading organizations, required password changes might be a bad idea for both security and convenience. Forced password changes wasn’t a bad idea. But relying on end users to frequently change their passwords leads to the system’s demise. People choose easily guessable passwords and scorn good password habits.
NIST recommends not forcing password changes.
Check this out from the NIST Special Publication 800-63B section 220.127.116.11 – Memorized Secret Verifiers:
“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
So, the new rules for required password changes:
- Use strong passwords that are hard to guess.
- Do not expire the password.
- Only change the password when there is evidence of risk.
Human risk management.
People will begrudgingly change their passwords to something similar to the previous one. Most times, people just add a number or 2 behind the previous password. According to research from UNC “17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses.”
Since people have proven untrustworthy in the art of password discipline and cyber hygiene, IT admins should enforce strong passwords on end users and use a password manager to change passwords for end users with just a few clicks. Tens of thousands of passwords across thousands of users can now be managed differently. Fortuitously, the new recommendations by these organizations favor the IT admins.
Microsoft dropped password-expiration.
Microsoft finally got rid of the very annoying password expiration requirement. Now, passwords don’t have to expire. According to Microsoft, “Dropping the password-expiration policies that require periodic password changes.” According to Microsoft, new scientific research questions the long-standing password expiration policy. Instead, better alternatives include “enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication.” If Microsoft is no longer requiring passwords to expire, why would any IT manager that uses Microsoft?
The Federal Trade Commission agrees: “Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.” The FTC now believes that enforcing strong passwords that users will use for a long time is more secure than password expiration policies. The problem is that users will keep reusing weak variants of old passwords (that may already have been or will be compromised).
In conclusion, the password reset requirement is annoying to everyone involved. Neither is forcing password changes as effective for cyber security as once believed. Therefore, IT admins can being transitioning from frequent password resets to fewer. Or, even better, on a needs-basis only. Reduce password reset frequency and increase password strength. Then use a password manager to drastically reduce the work needed to maintain all corporate passwords. Forget password expiration and strong passwords with MFA.