Don’t Change Your Password Every 90 Days

It’s one of the many little annoyances of modern business life. Every so often, you are forced to choose new login passwords in order to access your company network and accounts. It’s a practice that’s been a part of business life for years, but it’s one that you might want to rethink. Recently, several major companies and organizations (such as Microsoft) have come out against the practice, and for good reason.

Regular password changes seem like a great idea, at least from a security perspective. The basic idea is reasonable enough. If you change your password regularly, shouldn’t that make it harder for an attacker to get in? Shouldn’t it prevent hackers from laying in wait for months, and striking when the time is right? There’s no doubt that there are benefits to regular password changes in theory, but even the best theories have to reckon with their real world consequences.

In reality, regular password changes often lead to bad security hygiene. For example, constant changes of passwords often lead to passwords written on Post-It notes stuck to monitors. Users also make trivial changes to old passwords….”monkey1″ becomes “monkey2”, and so on. Some users will change their password, and then change it right back to the old password, thus negating any benefit. IT workers often complain about such seemingly irresponsible behavior, but the reality is that most employees aren’t security experts. They just want to get their work done, and constant password issues can get in the way.

But if password changes aren’t enforced, aren’t we reducing security? Most attackers use compromised passwords as soon as possible. They know that once a system is compromised, they may be discovered at any moment. From the attacker’s perspective, it doesn’t make sense to wait to strike. So we’re getting all of the negatives mentioned above, with little tangible benefit.

The reality is that we now have much better tools to beef up account security. Instead of annoying and ineffectual password expiration policies, consider the following options:

Multi-Factor Authentication

Multi-factor authentication greatly reduces the risk of a compromised password. If a hacker manages to get your password, it won’t help him if he doesn’t have access to your second factor. If that second factor is safely on your phone or, better yet, a physical security key, then the attacker is out of luck. This change alone will do far more good than even daily password changes.

Have Fewer Passwords

“Single sign on”, or SSO, is a process by which one set of credentials can be used to access multiple resources. For example, you can sign in to your corporate network and your Office 365 email with one user name and password. By reducing the number of credentials you have to keep track of, you can focus on keeping those credentials more secure. Ask your IT department or consultant if your business has accounts which can be combined into a Single Sign On process.

Use a Password Manager

Even if you reduce the number of passwords you have, you’ll still have at least a few to keep track of. Your bank is still going to require a separate password, so you should make sure it’s a good one. Using a password manager can help you create and use secure passwords without having to remember them (or write them on Post-It notes…). A secure password manager greatly cuts down on the number of passwords you need to remember, and makes it easy to change passwords if necessary.

So when is it necessary to change passwords?

Before you ditch password expiration policies, you should check to make sure that you don’t have any partner agreements that require expiration. For example, if your company works with a larger entity as a subcontractor, you may be required to follow a certain policy. If this is the case, you’ll need to contact the other party and get a written approval to use other (more secure) security controls. Sometimes this isn’t possible, but it might be worth bringing it up in hopes that the other entity will update their policies in the future. You might point out to them that aside from industry players such as Microsoft, the National Institute of Standards and Technology (NIST) has also recently come out against the practice.

And of course, you should change your password if you suspect it has been compromised. There are tools to keep track of known compromises. For example, Have I Been Pwned is a great site to check your email address for known compromised passwords. But if your business has good security practices (especially multi-factor authentication!), then a password compromise alone shouldn’t be cause for panic.