Mandatory Password Change Policies Are Counterproductive
The Origin of the "90 days" policy
In 2003, Bill Blurr, an employee of the National Institute of Standards and Technology (NIST), wrote the often referred to policy about passwords. Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly. In an interview with the wall street journal in 2017, Mr Blurr confessed that he now regrets the error
Why is it useless?
Password expiration policies protect enterprises only in situations when passwords or password hashes are stolen and can be used to gain unauthorized access into the network. But in that case, the 60 / 90 days interval is too long since if the password/hash was stolen, the administrator would want the user to change it immediately and not wait for the password to expire.
Making the interval shorter to force password changes more frequently would introduce more problems, as research by Microsoft and others has demonstrated that forcing users to change their password regularly result in them making "small and predictable alteration to their existing password,” making them guessable - for example, changing "monkey1" into "monkey2"- which are relatively easy to deduce.
The "90 days policy" is now labelled "an ancient and obsolete mitigation of very low value"
Both NIST and Microsoft have dropped the requirement in their latest policies updates - NIST
What are the new best practices?
The latest policies are
- for Microsoft: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
Password guidelines for administrators
The primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard to guess passwords. Here are a few recommendations for keeping your organization as secure as possible.
- Maintain an 8-character minimum length requirement (longer isn't necessarily better)
- Don't require character composition requirements. For example, *&(^%$
- Don't require mandatory periodic password resets for user accounts
- Ban common passwords, to keep the most vulnerable passwords out of your system
- Educate your users to not re-use their organization passwords for non-work related purposes
- Enforce registration for multi-factor authentication
- Enable risk-based multi-factor authentication challenges
Password guidance for your users
Here's some password guidance for users in your organization. Make sure to let your users know about these recommendations and enforce the recommended password policies at the organizational level.
- Don't use a password that is the same or similar to one you use on any other websites
- Don't use a single word, for example, password, or a commonly-used phrase like Iloveyou
- Make passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favourite bands, and phrases you like to use