One of the common pieces of account security advice is that users should change their passwords regularly. The reasoning behind this approach is to minimise the length of time that any password is valid for, in case it ever gets compromised. This entire strategy is based on historical advice from top cybersecurity groups such as the American NIST, or National Institute of Standards and Technology.
For decades governments and companies followed this advice and forced their users to regularly reset passwords, typically every 90 days. Over time, however, research showed that this approach wasn’t working as intended and in 2017 NIST along with the UK’s NCSC, or National Cyber Security Centre, changed their advice to only require password changes when there is reasonable suspicion of compromise.
Why was the advice changed?
The advice to regularly change passwords was originally implemented to help increase security. From a purely logical perspective, the advice to regularly refresh passwords makes sense. The real-world experience is slightly different though. Research showed that forcing users to regularly change their passwords made them significantly more likely to start using a similar password that they could just increment. For example, rather than picking passwords like “9L=Xk&2>” users would instead use passwords like “Spring2019!”.
It turns out, when forced to come up with and remember multiple passwords and to then regularly change them, people consistently use easy to remember passwords that are more insecure. The problem with incremental passwords like “Spring2019!” is that they are easily guessed and then make it easy to predict future changes too. Combined this means that forcing password resets pushes users to choose easier to remember and therefore weaker passwords, that typically actively undermine the intended benefit of reducing future risk.
For example, in a worst-case scenario, a hacker could compromise the password “Spring2019!” within a few months of it being valid. At this point, they can try variants with “Fall” instead of “Spring” and they’re likely to gain access. If the company detects this security breach and then forces users to change their passwords, it’s fairly likely that the affected user will just change their password to “Winter2019!” and think that they’re secure. The hacker, knowing the pattern may well try this if they are able to gain access again. Depending on how long a user sticks with this pattern, an attacker could use this for access over multiple years, all while the user feels safe because they’re regularly changing their password.
What’s the new advice?
To help to encourage users to avoid formulaic passwords, the advice is now to only ever reset passwords when there is a reasonable suspicion that they’ve been compromised. By not forcing users to regularly remember a new password, they’re more likely to pick a strong password in the first place.
Combined with this are a number of other recommendations aimed at encouraging the creation of stronger passwords. These include ensuring that all passwords are at least eight characters long at the absolute minimum and that maximum character counts are at least 64 characters. It also recommended that companies start to move away from complexity rules towards the use of blocklists using dictionaries of weak passwords such as “ChangeMe!” and “Password1” which meet many complexity requirements.
The cybersecurity community almost unanimously agrees that passwords should not be expired automatically.
Note: Unfortunately, in some scenarios, it may still be necessary to do so, as some governments have yet to change laws requiring password expiry for sensitive or classified systems.
