Is your company or a financial service you use asking you to update your password every so often? While this was once standard advice, many organizations have not adapted to the latest guidelines, which now question the effectiveness of such policies. If you find yourself navigating through a password expiration policy, leverage the insights from this article to encourage your IT team or financial provider to modernize their password security practices.
Historically, the logic behind requiring frequent password changes was to mitigate risks if a password database was compromised, limiting the timeframe an attacker could access the account undetected. However, security professionals have shifted their focus to the root of the issue: the creation of weak passwords that are easy to crack. It’s been observed that users tend to create simpler passwords when faced with the prospect of frequent changes, often slightly modifying their previous passwords for ease of recall. This behavior does not escape the notice of cybercriminals, who are adept at predicting such modifications, thereby ironically diminishing security.
The National Institute of Standards and Technology (NIST), an authority in developing cybersecurity guidelines for the U.S. government and by extension influencing global corporate policies, updated its stance in 2017. NIST now advises against arbitrary password changes, stating: “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” NIST clarifies that the anticipation of having to change passwords encourages users to choose less secure options, which become predictable through common modifications like incrementing numbers. This gives attackers an advantage, particularly if any previous passwords were compromised.
However, NIST acknowledges exceptions, such as in cases of unauthorized access or when a password database breach occurs, necessitating an immediate reset of all passwords.
Furthermore, NIST critiques the traditional approach of mandating complex passwords with various character requirements, which often leads to predictable outcomes, like adding an exclamation point at the end. Instead, they advocate for longer passwords that are both secure and user-friendly, a principle easily applied with the help of password managers that can generate and remember strong passwords for you.
For those infrequent cases where you need to remember and manually enter a password, consider devising a long, memorable phrase that’s easy to type. For better recall, you might pick a theme for your passwords. For example, if you start with "gouda-purple-1989-New-York," your next password could be "cheddar-black-2011-Des-Moines," employing a personal system for choosing elements of your password that only you would recognize as related.
This shift towards more user-friendly and secure password management reflects a broader understanding of cybersecurity, emphasizing stronger, more memorable passwords over frequent changes.
Additional Note: We understand that in today's work environment, securing your systems, especially with remote work setups, is more critical than ever. We're here to help implement and enforce CIS (Center for Internet Security) or NIST security protocols on your systems, ensuring your computers are secure, regardless of where your team is working from. Let us assist you in fortifying your cybersecurity infrastructure to protect against the ever-evolving threats.
(Featured image based on an original by iStock.com/designer491)
