Requiring regular password changes is a practice that has been around for decades. However, recent research has shown that it is not as effective as once thought. In fact, it can be harmful to security in some cases.
The primary danger of mandated password changes is that users tend to choose weaker passwords when they are forced to change them frequently. For example, if a user’s password was “P@ssw0rd2” when required to change it. This makes it easier for hackers to guess the password and gain access to the user’s account.
Another issue with regular password changes is that they can be time-consuming and frustrating for users. This can lead to users writing down their passwords or using the same password for multiple accounts, which can further compromise security.
In addition, regular password changes can be ineffective against modern cracking techniques. Hackers can use programming rules to modify dictionary entries, making it easier to crack passwords that have been obfuscated by adding letters or symbols to the words.
Finally, regular password changes can be harmful to productivity. Users who are required to change their passwords frequently may forget their new passwords or write them down, leading to lost productivity and increased help desk calls.
In light of these issues, Microsoft has removed periodic password changes from the security baseline settings it recommends for customers and auditors 1.
The National Institute of Standards and Technology (NIST) has also updated its guidelines to recommend against regular password changes 2.
These conclusions were made back in 2019 – four years as of the time of this writing. If your company is still requiring regularly updated passwords, please implore them to update their policies.
Instead of requiring regular password changes, organizations should focus on other security measures such as two-factor authentication, password managers, and employee training. These measures can be more effective at preventing unauthorized access to sensitive information.
In conclusion, requiring regular password changes is a practice that is no longer recommended by security experts. It can be harmful to security, time-consuming for users, and ineffective against modern cracking techniques. Organizations should instead focus on other security measures to protect sensitive information to avoid the danger of mandated password changes.