• Skip to main content
  • Skip to primary sidebar

Technipages

Tutorials and fixes for smartphone, gadget, and computer problems

  • Topics
    • Android
    • Browsers
    • Gaming
    • Hardware
    • Internet
    • iPhone
    • Linux
    • macOS
    • Office
    • Reviews
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
Should Users Be Forced to Reset Their Passwords Regularly?

Should Users Be Forced to Reset Their Passwords Regularly?

November 24, 2020 by Mel Hawthorne Leave a Comment

One of the common pieces of account security advice is that users should change their passwords regularly. The reasoning behind this approach is to minimise the length of time that any password is valid for, in case it ever gets compromised. This entire strategy is based on historical advice from top cybersecurity groups such as the American NIST, or National Institute of Standards and Technology.

For decades governments and companies followed this advice and forced their users to regularly reset passwords, typically every 90 days. Over time, however, research showed that this approach wasn’t working as intended and in 2017 NIST along with the UK’s NCSC, or National Cyber Security Centre, changed their advice to only require password changes when there is reasonable suspicion of compromise.

Why was the advice changed?

The advice to regularly change passwords was originally implemented to help increase security. From a purely logical perspective, the advice to regularly refresh passwords makes sense. The real-world experience is slightly different though. Research showed that forcing users to regularly change their passwords made them significantly more likely to start using a similar password that they could just increment. For example, rather than picking passwords like “9L=Xk&2>” users would instead use passwords like “Spring2019!”.

It turns out, when forced to come up with and remember multiple passwords and to then regularly change them, people consistently use easy to remember passwords that are more insecure. The problem with incremental passwords like “Spring2019!” is that they are easily guessed and then make it easy to predict future changes too. Combined this means that forcing password resets pushes users to choose easier to remember and therefore weaker passwords, that typically actively undermine the intended benefit of reducing future risk.

For example, in a worst-case scenario, a hacker could compromise the password “Spring2019!” within a few months of it being valid. At this point, they can try variants with “Fall” instead of “Spring” and they’re likely to gain access. If the company detects this security breach and then forces users to change their passwords, it’s fairly likely that the affected user will just change their password to “Winter2019!” and think that they’re secure. The hacker, knowing the pattern may well try this if they are able to gain access again. Depending on how long a user sticks with this pattern, an attacker could use this for access over multiple years, all while the user feels safe because they’re regularly changing their password.

What’s the new advice?

To help to encourage users to avoid formulaic passwords, the advice is now to only ever reset passwords when there is a reasonable suspicion that they’ve been compromised. By not forcing users to regularly remember a new password, they’re more likely to pick a strong password in the first place.

Combined with this are a number of other recommendations aimed at encouraging the creation of stronger passwords. These include ensuring that all passwords are at least eight characters long at the absolute minimum and that maximum character counts are at least 64 characters. It also recommended that companies start to move away from complexity rules towards the use of blocklists using dictionaries of weak passwords such as “ChangeMe!” and “Password1” which meet many complexity requirements.

The cybersecurity community almost unanimously agrees that passwords should not be expired automatically.

Note: Unfortunately, in some scenarios, it may still be necessary to do so, as some governments have yet to change laws requiring password expiry for sensitive or classified systems.

You Might Also Like

  • Linux Passwords: How To Force a User To Reset Their Password
    Linux Passwords: How To Force a User To Reset Their Password
  • How to Reset Network Adapter in Windows 11 Using Network Reset
    How to Reset Network Adapter in Windows 11 Using Network…
  • How to Hide from Telegram Users
    How to Hide from Telegram Users
  • How to Fix LastPass Not Saving Passwords
    How to Fix LastPass Not Saving Passwords
  • How to Import Your Passwords into Bitwarden
    How to Import Your Passwords into Bitwarden
  • Passkeys Are Replacing Passwords: What Does That Mean?
    Passkeys Are Replacing Passwords: What Does That Mean?

Filed Under: Internet, Software

Reader Interactions

Did this help? Let us know!

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Reset Root Password on Steam Deck
  • How to Update Steam Deck
  • Fixed Error Code: Out of Memory on Windows 11 Web Browsers
  • How to Play Minecraft on Chromebooks
  • Windows 11: How to Access and Use the Free Sound Recorder App
  • How to Enable Split-Screen in Microsoft Edge
  • How to Use Microsoft PowerToys in Windows 11/10
  • How to Turn Steam Deck Into Desktop PC

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

© Copyright 2023 Guiding Tech Media · All Rights Reserved · Privacy