[Reading time - 3 minutes 34 seconds]
If you were to take a poll of users, you probably would find that an overwhelming majority do not like password expiration, which requires users to change their passwords after a set period of time such as 60 days. (But if you are frustrated because you have to change your password every 60 days, I read of someone who said a previous employer forced users to change their password every 15 days!). Recently the tide has been turning against
password expiration and in some organizations it is now being phased out.
What is the rationale behind password expiration in the first place? Who is recommending that password expiration be dropped? Why are they recommending this? And is it a good step?
The rationale for password expiration is obvious: if a user's password is stolen but the victim does not know it, the thief can only use that password for a limited amount of time until it expires.
In order to set a basic standard for security, Microsoft for several years has published a security baseline configuration of system policies. Last week (Apr 24 2019) a draft of the Security baseline for Windows 10 v1903 and Windows Server v1903 was released. One of the recommended changes is that password expiration be dropped so that users should no longer be required to change their passwords regularly.
But Microsoft is not the first organization to recommend dropping password expiration. Back in 2017 guidelines released by the National Institute of Standards and Technology (NIST) recommended that password expiration should no longer be used.
However, not everyone is on board with dropping password expiration. The Payment Card Industry (PCI) still requires that merchants and other providers change their passwords every 90 days.
There are several reasons given for dropping password expiration.
With the new security protocols now implemented, password expiration is not considered as important as it once was. Many systems will tell you (or you can look at when you last logged in) so you would notice when somebody other than you logged in yesterday when your last login was last week. Also, the spreading popularity of multifactor authentication, better known as two factor authentication or 2FA, can also limit the impact of password theft. With 2FA you typically receive a text message, email, or smartphone app prompt asking you to verify that you indeed have just tried to log in, so if someone else has stolen your password and is using trying to use it you will know it immediately.
And another reason for the change is the research that shows password expiration just does not work. Why? Because users are relying on their memory to store a password and are frustrated with having to constantly memorize new passwords. And other password policies and combined with password expiration to make users even more frustrated. Many systems are set up to prevent password reuse, or "recycling" previously-used passwords (a standard recommendation is that a previously-used password could only be recycled after 24 new passwords had been used). And another password setting requires users to keep a new password for a minimum amount of time (like one day) so that they could not quickly keep resetting their password in order to cycle through 24 new passwords in rapid succession in order to get back to using their expired password.
Password expiration usually forces users to take drastic steps to remember their passwords. They write the new password down on a sticky note and affix it to their computer monitor, or create a new password that is easy to remember but equally easy for an attacker to break, or store the password in a file labeled "Passwords," or any number of things that made it easy for an attacker to break the password and compromise security.
So, password expiration actually decreases security instead of increasing it.
Is dropping password expiration a good step?
It probably is, if it prevents you from compromising security (like writing down your current password on a sticky note) and if you are using 2FA to know when someone is trying to use your password.
However, some security professionals are calling for a modified password expiration. Because long passwords are more secure than short passwords--even if the password is complex--some advocate that the length of the password dictates its expiration. A user who creates and uses a 30-character password would not have to change that password for 2 years. A password that is 15-25 characters in length would expire annually, while a password of fewer than 15 characters would have to be reset every 90 days. One company that tried this approach found that calls to their helpdesk for password resets declined by 70 percent, so there may be some merit here.
But the real solution to good passwords is not dropping password expiration. The solution is to use a password manager to store and retrieve you passwords. In that way it doesn't matter if you have to create and use a new password every 60 days. That's because you're not relying on your memory, but instead are using technology to keep your passwords safe. You could change your passwords every day and still have strong passwords that are easy to retrieve.
So, whether or not your organization drops password expiration, you should still use a password manager. It's the smartest thing to do.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.