Why it is no longer a good idea to have a password expiration policy in a business network
Password expiration policies are a standard business practice and have been for a very long time. Many companies had or currently have policies in place that force employees to change their password every 60-90 days (which was everybody’s favourite task to do, am I right?). The problem is that all too often this policy results in more IT issues than it prevents.
Fortunately, in 2017, new recommendations were released (supported by Microsoft) that raised security concerns related to this practice. For example, if someone is to steal your password, that 60-90-day window is just too wide, meaning that the damage will already be done by the time you are auto-reminded to choose a new password. Additionally, what tends to happen is when you have a password expiration policy in place, it perpetuates poor password hygiene. Here is what happens:
- Password reuse: It is common for professionals to just use the same password when they renew. Many even repeat the same password with multiple applications. They may make a subtle change, for example, add an exclamation mark so that it remains familiar; it’s just not enough.
- Users write down their password: Employees may write their password down on a piece of paper. And while this is okay if that password is stored securely, often that is not the case. It is common to find that the password is written in a notebook, placed on one’s desk or even on sticky notes that end up all over the place or perhaps tucked under one’s keyboard.
- Simple passwords: With a policy forcing password change, the complexity of the password is typically not complex enough, so users will be permitted to have simple passwords. A simple password, for example, just four or five letters in length, is far too insecure.
The newest guidance is that passwords should not change unless there is a compelling reason to do so. Having a complex password in place is still a requirement, however, if you have taken the time to choose a very strong password you won’t have to change it periodically. Therefore, you are more likely to choose a password that will better prevent a cyber-attack.
Safeguard your passwords with other mechanisms
It is also recommended that you have other mechanisms in place, like multi-factor authentication, so that if a password does get lost, hackers cannot access your account.
Another common best practice to support secure passwords is to use a service that will block known bad passwords from being used. This will prevent people, for instance, using the passwords that can be easily guessed, like “password” or “123456” or “abc123.”
There are many new security features that offer better password protection. Start by turning off your password expiration policy and put some of these new practices and tools in place to detect malicious login attempts. Doing this will enable you to know if you’re being attacked. This will result in you having happier users and a more secure network.
If you are concerned about your employees’ password hygiene, contact us to setup a meeting to discuss what you can do to protect your business network.