Mandatory Password Changes – A Good Idea?

For a decade the feds recommended frequent password changes. A couple of years ago NIST changed their mind and said it was the worst recommendation they ever made. Still a lot of companies and regulators require frequent password changes. Is that a good idea?

Microsoft used to recommend frequent password changes. Their current guidance:

According to Microsoft, requiring users to change their passwords frequently does more harm than good.

Humans are notoriously resistant to change. When a user is forced to change their password, they will often come up with a new password that is based on their previous password. A user might, for example, append a number to the end of their password and then increment that number each time that a password is required. Similarly, if monthly password changes are required, a user might incorporate the name of a month into the password and then change the month every time a password change is required (for example, MyM@rchP@ssw0rd).

Again, people are creatures of habit:

What is even more disturbing is that¬†studies have proven¬†that it is often possible to guess a user’s current password if you know their previous password. In one such study, researchers found that they were able to guess 41% of user’s current passwords within three seconds if they knew the user’s previous password.

On the other hand Larry Ponemon says that it takes, on average, 207 days to identify a breach. If you don’t make users change passwords, then the bad guys have access for that long. If you make users change passwords every 90 days, then maybe you limit that access.

Of course, if you require two factor authentication and you do that robustly, knowing someone’s password isn’t that helpful.

So what should you do? Fix the underlying problems:

  • Make users choose strong passwords
  • Use password managers
  • Check selected passwords against a compromised password list
  • Implement a self service password reset solution
  • Implement multifactor authentication

So there is no good or bad answer; just a business risk decision. Personally, if you implement the items in red above, you can reduce password change frequency safely.

On the other hand, if you have a regulator who says you have to change passwords, then you really don’t have a choice, but that is a small minority. Credit: Hacker News

Leave a Reply

Your email address will not be published. Required fields are marked *