Editor 
In a world where cybersecurity threats loom large, the strategies to keep data safe have evolved significantly. Until recently, the forced periodic password change was a mainstay in many security policies. However, emerging evidence and expert opinion suggest it’s time for a significant policy shift. The US may be on the brink of officially discarding this antiquated practice.
Negative Impact on Security
Requiring users to update passwords at regular intervals was initially thought to bolster security. The intention was to limit the duration a compromised password could be useful to a cyber attacker. Ironically, this well-meaning tactic often undermines security. Users frequently adopt predictable patterns, making slight modifications to existing passwords. This behavior translates into passwords that are easier to guess. For example, password123 becomes password1234, which isn’t much harder for hackers to crack.
Security through password obfuscation relies on the unpredictability of the passwords. Unfortunately, forced changes result in users creating minor, and therefore predictable, variations, rather than opting for strong, novel passwords each time.
User Behavior
Even more alarming, the frequent imposition of password changes often leads users to choose initially weaker passwords. Knowing they will have to update soon, users may prioritize ease of recall and speed of entry, rather than complexity and robustness. They might rely on simplistic modifications, such as appending a special character at the end or increasing a numerical suffix by one. This predictability benefits not the user, but potential attackers.
Expert and Organizational Consensus
Leading voices in cybersecurity have long since recognized these drawbacks. Two of the most prominent entities, Microsoft and the US National Institute of Standards and Technology (NIST), have updated their guidelines accordingly. Microsoft, for instance, no longer recommends periodic password changes. They’ve labeled this practice as an “ancient and obsolete mitigation of very low value.”
NIST echoes this sentiment in its Digital Identity Guidelines, stating, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”
Alternative Security Measures
Given these findings, what should replace the outdated forced password change? Here are the recommended alternatives:
- Strong, Unique Passwords: Users should be encouraged to create long, complex passwords that aren’t reused across multiple sites.
- Multi-Factor Authentication (MFA): Adding an extra layer of security, such as a code sent to a smartphone, significantly boosts protection.
- Monitoring for Compromised Passwords: Implement systems to detect when passwords have been compromised and prompt users to change them only in these instances.
- Slow Hash Functions: These functions make it computationally infeasible for hackers to crack passwords en masse.
- Banned Password Lists: Prevent users from choosing commonly used or compromised passwords by maintaining an updated list of such passwords.
Practical Consequences
Beyond the technical ramifications, the enforced changing of passwords has equally problematic practical consequences. There’s a higher chance users will write down their passwords to remember them, especially when they are required to frequently change them. This can result in passwords being stored insecurely, such as in a desk drawer or on a sticky note attached to a monitor.
Additionally, frequent password changes can lead to user frustration. Employees may waste time dealing with password resets, potentially lowering overall productivity. Rather than mitigating risk, this approach contributes to it by alienating users from best security practices.
In summary, both historical evidence and current expert consensus reveal that mandatory password changes do more harm than good. As the US considers updating its policies, this shift represents a significant win for security best practices, aligning with the growing understanding that smarter, not more frequent, is the way to manage passwords. The industry is moving towards methods that genuinely enhance security without contributing to user error and frustration.
FAQ
Why were periodic password changes initially recommended?
Periodic password changes were initially recommended to limit the time an attacker could use a stolen password and to force a reset of potentially compromised credentials.
What are the risks of forced password changes?
Forced password changes can lead to predictable patterns in password selection, weaker initial passwords, and insecure practices such as writing down passwords.
What do experts recommend instead of frequent password changes?
Experts advocate for the use of strong, unique passwords, multi-factor authentication, monitoring for compromised passwords, slow hash functions, and banned password lists.
Who has advised against mandatory password changes?
Both Microsoft and the US National Institute of Standards and Technology (NIST) have advised against mandatory password changes, calling the practice obsolete and counterproductive.
How can I create a strong password?
A strong password should be long, contain a mix of letters (both uppercase and lowercase), numbers, and special characters, and it should not be reused across multiple accounts.
Mandatory password changes are quickly becoming a relic of the past as the cybersecurity landscape evolves towards more effective practices. Keep up with these changes to ensure your digital security remains robust and user-friendly.
