Quick Links
Mandatory password changes on a regular timeframe are a fact of life within many organizations. This age-old practice is upheld by proponents as a good baseline security measure to mitigate the risks of password loss. But is it still relevant decades after it first appeared?
What Does Password Expiration Solve?
First, it's important to understand why enforced password expirations became popular. Most organizations require a password change every 30 or 90 days. This dates from the historical background of simpler password hashes which could be cracked relatively quickly. Back when an attacker could crack a password in a couple of months, security practitioners suggested that changes within that timeframe would help to keep users safe.
Today's threat model looks rather different. Passwords encrypted with modern hashing mechanisms could take billions of years to successfully crack.
Nowadays criminals collect passwords in ways that focus on you, the user, instead of the service that stores them. Phishing and social engineering attacks are the greatest risks, as well as coordinated dictionary attacks using lists of known passwords. These lists are sourced from previous data breaches.
The changes in the threat landscape mean password expirations no longer solve the problem they were intended for. Compromises happen in seconds. By the time you change your password, the attackers are probably long gone.
The Issues With Password Expirations
Enforced password changes are a common frustration among users. They may be inclined to choose a succession of short passwords that are easily memorized. Some users will note each password down, potentially exposing it to compromise - whether in a text file, or as a desktop post-it note.
Research at the University of North Carolina found an attacker with access to previous passwords could determine the user's current password in under 3 seconds in 41% of cases. This provides strong evidence that many users make only trivial changes to their passwords at the mandated interval.
Password expirations are meant to place a time limit on an attacker's access to a compromised system. In today's changed landscape, an intruder may already have persistent access by the time they steal the password list. Installing a key logger or other similar malware immediately sidesteps all the benefits of password expiration.
Finally, real-world pen-testers have stated they're not encumbered by a password expiration policy. Policies are often defending against threats they cannot hope to contain. These days, regular password changes should be seen as an effort to encourage users to maintain security. In practice, it's poorly suited to this too, as it presents an inconvenience which users will try to avoid.
The Tide's Turning Against Changing Your Password
These factors combined have led several prominent organizations to turn against password change policies in recent years. From the UK's National Cyber Security Centre (NCSC) to Microsoft's official Windows security baseline, the once ubiquitous practice has rapidly dropped out of favor.
In a blog post in 2016, the NCSC explained that expirations present a "usability cost" to users that outweighs already questionable security benefits:
It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn't, it turns out, stand up to a rigorous, whole-system analysis.
The impact of password fatigue is more likely to weaken an organization's overall security posture, as users will choose less secure passwords and drop their guard against ongoing threats. Attackers won't be perturbed by a password expiration policy - information gets stolen in an instant, usually long before a scheduled password change could mitigate the impact.
What To Use Instead?
System administrators still have several tools to protect their organizations. Of the options available, education can be one of the strongest long-term approaches. Explain to users the risks of low security passwords to encourage them to make safer choices.
You should also adopt a multi-factored authentication approach. Adding an authentication app to the equation prevents attackers from using passwords, even if they successfully steal them. This wasn't possible back when password expiration policies first started to be adopted.
If you still insist on regular password changes, or your industry has legislation that requires it, find ways to help your users. Providing approved password management software will let users generate and store secure passwords, without resorting to simple phrases scrawled on note paper.
Dropping password expirations doesn't mean abandoning all password control mechanisms. You can still enforce a minimum length and complexity to guide users towards strong choices. In addition, you should retain the ability to invalidate passwords so you can quickly lock down your systems in the event of a breach.
Conclusion: Time to Stop Expiring Passwords
Password expirations used to be reasonably effective at stopping the cyberattacks of yesterday's web. Now they're more trouble than they're worth. Continuing to enforce regular password changes will frustrate users, cause more IT help desk queries and deliver negligible - or negative - effects on your security posture.
Expiration policies were helpful when the web was a smaller and slower place. The internet and its threats have evolved immensely over the past couple of decades. It's now more common for users to tell an attacker their password, in a phishing email or on a scam call, than a password to be actually "stolen" by an intruder.
For systems where persistent access is a risk, acquiring a privileged user's password once usually gives an attacker the capability to install a backdoor or set up their own user account. With so many factors stacking against password expiration as a security mitigation, it's now more important to focus on basic password hygiene and the bigger picture of cyber defenses.
Dropping your password expiration policy should please users and contribute to your security standing. Weigh the security benefits of your password practices against the usability cost of making users relearn their credentials every few months. Many compliance regulations such as PCI-DSS and HIPAA still require regular password changes but in non-regulated industries, you should now think twice before using mandated expirations.