Password expiration notifications are typically met with groans from users. No one wants to trade a familiar password that they can input from muscle memory for one that they have to think up and memorize. But the good news is, many companies are doing away with mandatory password expiration policies, as these policies are no longer necessary or even recommended under today’s cybersecurity best practices.
The History of Password Expirations
Traditionally, most organizations had mandatory expiration policies that required employees or other users to change their passwords every 60 or 90 days. This practice was based on the widely accepted belief that it would take the average computer about 90 days to crack the average password. However, with modern technology, including AI, weak passwords can now be decoded in seconds, and threat actors will act immediately to exploit stolen passwords, rendering periodic password expiration policies ineffective.
The Case Against Password Expiration
Several organizations, including Microsoft and the National Institute of Standards and Technology (NIST), advise against mandatory password expiration policies. Not only are these policies obsolete, they say, but nowadays, they do more harm than good. When users are forced to periodically change their passwords, they are more inclined to prioritize creating one that’s easy to remember over one that is particularly strong. They may, for instance, make the new password the minimum allowable length, use the name of their partner or alma mater, or use repetitive or sequential symbols, resulting in a weaker password. Or they may simply transform their old password by making a minor change, such as simply changing the “#” symbol at the end to an “$.” This serves to create a more predictable password pattern for that individual that hackers can use to crack additional passwords.
In addition, regular password changes cause lost productivity and more calls to the help desk, while potentially creating backlash against the company’s cybersecurity policies. Passwords should, however, be changed if there is a potential threat or suspected unauthorized access, or when the organization transitions to a stronger password policy.
Strong Password Policy
Instituting and enforcing a strong password policy can go a long way in safeguarding your system. Organizations should require a minimum password length, and the longer the better. Passwords should include both uppercase and lowercase letters, at least one number and at least one special character. Prohibit or discourage the use of easy-to-guess wording, such as the word “password,” other words found in the dictionary, and common phrases. Users should never use their own name or the name of someone close to them, or their birthdays, phone numbers or other information that can be easily obtained about them. Strings of numbers, letters, or characters, such as “1234,” “ABCD,” or “!@#$” (the order in which these symbols appear on the keyboard) make passwords more vulnerable to brute force attacks and therefore should be avoided.
Staff should be educated about the importance of using strong and unique passwords in all of their accounts, and to not reuse old passwords. If a user has the same or similar passwords across all of their accounts, it gives cyber criminals who gain access to one set of credentials a path into their other accounts.
Multi-Factor Authentication (MFA)
Given today’s threat environment, every organization needs to require multi-factor authentication (MFA) whenever someone logs into the system. With MFA, users receive a text, email, or use an authenticator app, such as Duo, Google Authenticator, or Microsoft Authenticator, confirming that they are, in fact, trying to log in. While authenticator apps are more secure, you must ensure they are always updated with the latest software, as older versions may have vulnerabilities. If using text or email, make sure users update their contact information with current phone numbers, email addresses, and devices that can be used for push notifications.
Tabush Group is a leading provider of Managed IT Services and Desktop as a Service (DaaS). To learn more about how our state-of-the-art IT solutions can make your firm’s operations more efficient and secure, contact us today!