Passwords were often compared to pants (or underwear) to emphasise the importance of keeping them private and secure. The analogy goes something like this:
Change them regularly: Just like you change your pants regularly, it was advised to change your passwords frequently to maintain security.
Keep them private: Just as you wouldn’t share your pants with others, you shouldn’t share your passwords.
Don’t leave them lying around: Just as you wouldn’t leave your pants out in public, you shouldn’t leave your passwords written down where others can find them.
This analogy was a simple and memorable way to convey good password practices to users.
However, the advice on changing passwords regularly has evolved, with current best practices focusing more on strong, unique passwords and additional security measures like multi-factor authentication (MFA).
Whilst 2 and 3 remain great pieces of advice, 1 is no longer recommended.
The Case for Changing Passwords Only When Necessary
In the realm of cybersecurity, the debate over password management practices is ongoing. One of the most contentious issues is whether passwords should be changed regularly or only when necessary.
Recent insights from leading tech companies like Microsoft and Google, as well as authoritative bodies like the National Cyber Security Centre (NCSC), suggest that the latter approach may be more effective.
This article explores why passwords should only be changed when first issued and if there is evidence of compromise.
The Traditional Approach: Regular Password Changes
For years, the conventional wisdom has been to mandate regular password changes, typically every 30, 60, or 90 days.
This practice was believed to enhance security by reducing the window of opportunity for attackers to exploit stolen credentials.
However, this approach has significant drawbacks.
The Drawbacks of Frequent Password Changes
Weaker Passwords: Frequent changes often lead users to create simpler, more predictable passwords.
According to Microsoft, this practice can result in passwords like 'l0ngw0rd1' being changed to 'l0ngw0rd2' and so on, which are easier for attackers to guess.
Users presented with the frustrating reminder to change a password when under time pressure often create a new weak password with the intention of creating a stronger password later, and then never returning to do so.
User Frustration: Regularly changing passwords is a source of frustration for users, leading to poor password practices such as writing them down or reusing passwords across multiple accounts.
Minimal Security Benefit: The NCSC points out that if a password is strong and has not been compromised, changing it regularly offers little additional security benefit. Instead, the focus should be on creating strong, unique passwords and protecting them effectively.
The Modern Approach: Change When Necessary
Leading tech companies and cybersecurity experts now advocate for changing passwords only when necessary—specifically, when they are first issued and if there is evidence of compromise.
Microsoft’s Stance: Microsoft has been vocal about the ineffectiveness of mandatory password changes. Aaron Margosis, a principal consultant at Microsoft, described the practice as ‘ancient and obsolete.’
Microsoft recommends removing periodic password changes from security baseline settings, arguing that they provide minimal value and can even be counterproductive.
Google’s Perspective: Google also supports this approach. The company emphasises the importance of strong, unique passwords and the use of MFA over frequent password changes.
Google’s security team highlights that MFA significantly reduces the risk of account compromise, making frequent password changes less critical.
NCSC Guidelines: The NCSC advises against regular password changes unless there is evidence of compromise. They recommend focusing on password strength and the use of additional security measures like MFA.
The NCSC states that frequent changes can lead to predictable patterns, which attackers can exploit.
The Benefits of Changing Passwords Only When Necessary
Stronger Passwords: By not requiring frequent changes, users are more likely to create and remember strong, unique passwords. This reduces the risk of predictable patterns and enhances overall security.
Reduced User Frustration: Allowing users to keep their passwords for longer periods reduces frustration and the likelihood of poor password practices. This can lead to better overall security hygiene.
Focus on Real Threats: Changing passwords only when necessary allows organisations to focus their resources on more effective security measures, such as monitoring for threats and password compromises, and implementing MFA.
Implementing the Modern Approach
To adopt this modern approach, organisations should:
Educate Users: Inform users about the importance of strong, unique passwords and the reasons behind the change in policy.
Implement MFA: Enforce the use of MFA to add an extra layer of security.
Monitor for Password Compromises: Regularly monitor for signs of compromise and act swiftly if password compromise is detected.
Use Password Managers: Promote the use of password managers to help users create and store strong, unique passwords without the need to remember them all.
Conclusion
The shift from frequent password changes to changing passwords only when necessary is supported by leading tech companies and cybersecurity experts. By focusing on strong, unique passwords and implementing additional security measures like MFA, organisations can enhance their security posture while reducing user frustration. As Microsoft, Google, and the NCSC have highlighted, this modern approach is more effective in protecting against today’s sophisticated cyber threats.
UKDataSecure are experts in creating password policies and simplifying password management for organisations of all sizes, from technology and financial start-ups to multinational companies and everything in between.
For more information please visit - Services | UKDataSecure | England
To chat with our Principal Password Consultant book a chat here - https://bit.ly/ukdsbookachat
We look forward to speaking to you and supporting your cybersecurity journey very soon.
Stuart Golding - Principal Password Consultant
#cybersecurityasaservice #caas #phishing #ransomware #denialofservice #dos #maninthemiddle #mitm #sqlinjection #crosssitescripting #xss #dnsspoofing #malwareasaservice #maas #ransomwarasaservice #raas #databreach #cybersecurity #datasecurity #informationsecurity #informationsecurityconsultant #datasecurityconsultant #compliance #certification #pcidss #iso27001 #nistcsf #soc2 #cyberessentialsplus #ransomwarasaservice #ukdatasecure
Comments