Please Forget to Change Your Password Every 90 Days
It's Time to Rethink Password Management Best Practices
Some of the most basic tenets of password account management have failed, leaving us with a dreadful combination of poor user experience and inadequate security. Fortunately, the flawed password principles we’ve been following for more than 10 years are finally on the way out.
Let’s start with password expiration. It’s not easy to come up with complex character or word combinations across dozens of active accounts, memorize them and change them frequently. As a result, users who are required to replace “memorized secrets” every few months tend to violate other security principles, perhaps by writing the passwords down, by recycling passwords from other accounts, by substituting letters with numbers, or by using similar word combinations or patterns across accounts.
According to the UK’s National Cyber Security Centre, “Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately.” Convinced of this point as well, the National Institute of Standards and Technology (NIST) recently rejected forced changes for memorized passwords absent a security incident. In fact, NIST uses all-caps to scream that administrators “SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” Still, readers beware, not everyone has eliminated password expiration requirements (including, as of this writing, the PCI Security Standards Council, as well as many vendor management programs).
Second to go? Character c0mpl3xity! Although administrators should prohibit commonly used, expected or compromised passwords, NIST cautions they “SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.”
Third, for all those administrators who don’t allow spaces in passwords, you may want to rethink your decision. Spaces are particularly popular now for credentials because they allow for password complexity in the form of memorably odd phrases such as “Space the Final Font Here.”
Fourth, it turns out it’s a bad idea to request specific types of information from users (such as their first pet, first car or first data breach notification). These “secret” answers to security questions tend to be known, knowable or readily guessed, and administrators are urged to stop using them to enable account access or account recovery.
Fifth, it’s time to get rid of stored password hints. If the clue is good enough to help the true account holder, there’s a chance it will help the hacker too.
Finally, we are moving away from memorized secrets altogether. Password managers, biometric identifiers and out-of-band authenticators are examples of digital identification which have shown an increase in user satisfaction and security. There is little doubt that one day the use of secret passwords will become a distant memory, should you remember it at all.