Is frequent change of passwords any good?

1,085

It’s like a two way street

Various IT organizations and companies recommend their users to change their passwords periodically.

In reality, the need for scheduled password changes is one of the old practices that is being followed as part of security protocols.

Despite being a good practice, it is considered as a hassle by most of the users who follow this practice.

Now Microsoft has a different opinion on this as it no longer recommends that organizations require users to change passwords periodically.

Perhaps for the first time, organizations are being forced now to consider, whether or not requiring periodic password changes is a good idea.

Is it effective?

According to Microsoft, requiring users to change their passwords frequently does more harm than good.

Change is the only thing that changes.
– the wandman

But humans are notoriously resistant to change.

When a user is forced to change their password, they will often come up with a lazy trick by creating a new password that is based on their previous password.

For example, A user might add a number to the end of their password and then increment that number each time that a password is required.

Studies have also proven that it is often possible to guess a user’s current password if you know their previous password.

In one such study, researchers found that they were able to guess 41% of user’s current passwords within three seconds if they knew the user’s previous password.

While forced password changes can cause problems, not requiring users to change their passwords can also cause problems.

As it stands today, it takes an organization, on average, 207 days to identify a breach that might have happened with their internal systems.

Always use Strong passwords — Always use strong passwords

A cybercriminal who has gained access to a system by way of a stolen password could potentially evade detection indefinitely.

Rather than simply abandoning the practice of requiring periodic password changes, it is better to address the underlying issues that tend to weaken an organization’s security.

What can be done ?

The biggest issue to this IT practice is frequent password expirations leads to users choosing weak passwords, or passwords that are related to their previous password.

One way to avoid this problem is to reward users for choosing strong passwords.

By using third-party password management tools, we can base a user’s password reset frequency on the length and complexity of their password.

Hence, users who choose strong passwords will not have to change those passwords as often as a user who chooses a weaker password.

Any other options?

Additionally, organizations should look for a password management solution that gives them the ability to block users from using passwords that are known to have been compromised.

Compromised passwords are passwords that have been hashed and added to rainbow tables or to similar databases, thereby making it extremely easy for an attacker to crack the password regardless of its complexity.

Also changing passwords frequently will also lead to users forgetting their passwords. This will cause account lockouts and increase in usage of helpdesk facility.

The best way to avoid this problem and decrease your helpdesk costs in the process is to adopt a self-service password reset solution that enables users to reset their own passwords in a secure manner.

Microsoft is also removing its password expiration policy settings from Windows 10, starting with version 1903.

So the need of the hour is to have a good password management tool that will secure your IT organization and prevent password related breaches.

In spite of recommendations to the contrary, there are security advantages to requiring users to change their passwords periodically.

However the key is to implement such a requirement in a way that does not inadvertently weaken an organization’s security. There is never an easy way to tackle security and the magic lies between usability and convenience.