Any kind of policies you rely on should be based on a sound understanding of risks, vulnerabilities, and defenses. “Best practice” is intended as a default policy for those who lack the data, resources, funding or training to do their own risk assessments to define their own standards. Regular password change is a long-standing security practice. It was designed to periodically lock out unauthorized users who had learned users’ passwords. Some security experts began questioning the wisdom in enforcing regular password change over a decade ago. However, it is only in the last few years that published research provided evidence that this practice may indeed be less beneficial than previously thought. And even retrogressive.
So how often should you change your passwords?
So today’s million-dollar question is, how often should you change your passwords?
Conventional wisdom held that you should change your passwords regularly, typically every few months; for instance, at least every three months. For years, this was the recommendation given by many cyber security experts. The rationale was that if a password is compromised, the time that an attacker has unauthorized access to the compromised account will not be indefinite.
While this notion sounds sensible, over time, security experts have changed their views on the matter. In 2017, the National Institute of Standards and Technology (NIST) released Digital Identity Guidelines that changed the password security game.
There is really no need to change your password regularly. You just need to put in the time and effort to ensure the password you create is strong and unique. In addition, using multi-factor authentication is highly advisable as an additional measure to secure your account.
When users are forced to make password changes, few will make stronger passwords. They will tend to change them in predictable ways that are more easily compromised by attackers. For example, a password that had “P@$$w0rd” becomes P@$$w0rd1, and so on.
Important note: Even where a password has been compromised, changing the password alone may be ineffective. It is essential to take other steps to secure the account to prevent recurrent compromise.
Even Microsoft Agrees
Microsoft termed periodic password expiration settings as an “ancient and obsolete mitigation of very low value.”
It proceeds to say:
What to do instead of Changing Your Password Frequently
Instead of forcing frequent password changes, we recommend the following:
- Create a strong, long and unique password.
- Do not write down or share your password with anyone.
- Do not save your passwords on any browsers, especially when accessing your email or accounts on public computers.
- Wherever possible, use multi-factor authentication. Multi-factor authentication adds extra protection so that even if your password is compromised, the attacker will not automatically access your account.
- If you suspect that your account has been hacked, change your password immediately – do not wait for a prescribed number of days. Mandatory password changes provide little security benefit after a password breach has already occurred.
If you are an administrator, consider championing the development and adoption of security strategies for your company like:
- Set policies to lock accounts after multiple failed login attempts to minimize chances of successful brute force attacks and password cracking. Brute force and password cracking methods have to run multiple password combinations in an attempt to gain unauthorized access.
- Use technology to disallow setting passwords that are commonly used and known/already-compromised.
- Implementing additional layers of security to enhance system and user account security, including gateway and end-point security and a good email security solution. Get in touch with us for more information on our advanced email security service or…
NB: This list is a baseline and should not be considered an exhaustive checklist. Adopt your own security strategy based on a risk assessment of your environment.