Cybersecurity, Policies and Training

Should Mandatory Password Changes Be Relegated to the Past?

The practice of periodically changing passwords is an old trope, beaten into our heads over the last few decades by security experts of all stripes, ranging from tech writers, to the security team at your company, to thought leaders in the federal government. Their claims remain the same: choose a password that is long and complex, but memorable, using a different password for every site or application you use. While most organizations still mandate that their employees change their passwords every 30, 60, 90, or more days, a small but growing group of dissenters is starting to make headway in coming out against the practice. So, with the building opposition, is your organization ready to end the practice?

protecting idendity fingerprints or id fraud from binary codes as like rain, guarding identity symbol and personal information

ByoungJoo / iStock / Getty Images Plus / Getty Images

How about if Microsoft joined the chorus of leaders recommending ending the practice?

In a blog post timed with the final release of the company’s “security configuration baseline settings” for version 1903 for Windows 10 and Windows Server, Microsoft employee Aaron Margosis noted that the company has dropped “password-expiration policies” from its security recommendations. Rather than relying on forcing end users to change their passwords periodically, Microsoft is shifting to recommendations such as creating a banned password list and/or implementing multi-factor authentication. The company notes that they “are not proposing changing requirements for minimum password length, history, or complexity” (emphasis in original).

Expanding the discussion, Dan Goodin states “the change of heart is largely the result of research that shows passwords are most prone to cracking when they’re easy for end users to remember.” This is the crux of the problem, as end users tend to default to patterns, regardless of how long or complex the password. Given the sheer number of data breaches, many of the words people fall back to, like the names of their favorite sports team, are already included in hacker’s dictionaries. This includes variations on those words. So, it doesn’t matter if you’re a “Y@nk335” or “R3dS0xx” fan, or even if you’re more creative (believe it or not, “qeadzcwrsfxv1331” is on a list…can you spot the pattern?) the password is out in public already.

What Makes a Good Password?

The best passwords are long and random, containing a mixture of upper- and lower-case letters, numbers, and symbols. They should not contain dictionary words, if possible. Basically, secure passwords require a level of randomness and complexity that humans struggle with. For example, here’s a good password that meets the criteria, created by a random password generator: _c3A*oFDw9eA2U?grsge3Bk)qu,adNuu. It’s 32 characters long, and since it has no dictionary words or variations, a hacker would have to use brute force, which would take far too long to crack to be worth their time.

Security teams can’t expect their end users to have a memorized password of that complexity for each of their accounts. So, how do you ensure that end users at your organization practice good password hygiene? Here are a few quick solutions:

  1. Use a password manager. Password managers allow users to quickly generate unique, random passwords for all their accounts, and store them locally on a device. An enterprise plan would allow users to sync their passwords across devices, in case they need to work remotely. They reduce the number of complicated passwords an end user must remember to 1, rather than the potential dozens they previously had to remember.
  2. Set up multi-factor authentication. By requiring users to sign on with both a password and another means, such as a code texted to their phone, or, even better, a physical authenticator like a Yubikey or Google Titan, you minimize the damage from a stolen or hacked password.
  3. Train end users to recognize phishing attacks. Most organizations that get breached succumb to phishing attacks, not hacked and stolen passwords. If a threat actor can convince an employee to click on a malicious link or download in an e-mail, they don’t need a password to get onto your network. Consider password security as a single piece of your total security platform.