You’ve probably been told that changing your password every 90 days is best practice right? What if I told you data doesn’t support this? Well it doesn’t and here’s the why.
Let’s Dive In
Passwords are the primary means of authentication on the internet, allowing us to access our online accounts and protect our sensitive information. Passwords need to be strong and unique to ensure our data remains safe from potential attackers. Many companies implement password change policies that require users to update their passwords at set time intervals. However, recent studies have shown that these policies can be less secure and even dangerous. In this blog, we will discuss why having a set time interval for password changes may not be the best security practice.
Firstly, requiring users to change their passwords at set intervals can lead to weaker passwords. Users may feel the need to create passwords that are easy to remember and quick to type, rather than creating strong, unique passwords that are more difficult to crack. This is because changing passwords frequently can lead to password fatigue, which is a phenomenon where users become less motivated to create unique and strong passwords as they are forced to update them frequently. Passwords that are easy to remember and quick to type are often predictable, making them easier for attackers to guess or crack.
Secondly, frequent password changes can make it difficult for users to remember their passwords, leading to more password resets and potential security issues. When users are required to change their passwords frequently, they may end up forgetting their current password or accidentally entering an old password, leading to multiple failed login attempts. This can lead to users requesting password resets, which can create more work for IT teams and may even lead to security vulnerabilities if not managed correctly.
Thirdly, having a set time interval for password changes can give a false sense of security. Attackers can still gain access to user accounts even if passwords are changed frequently, especially if the password is weak or the user falls victim to a phishing attack. In fact, attackers may even use the knowledge of frequent password changes to their advantage by waiting for the user to change their password and then immediately attempting to crack it while it is still fresh in the user’s mind.
What Have We Learned?
In conclusion, having a set time interval for password changes may not be the best security practice as it can lead to weaker passwords, more password resets and ultimately, a false sense of security. Instead of forcing users to change their passwords frequently, companies should encourage users to create strong, unique passwords and provide additional security measures such as 2FA. Companies should also monitor user accounts for suspicious activity and implement multi-factor authentication where appropriate. By implementing these practices, companies can greatly enhance the security of their online accounts and protect their sensitive information from potential attackers.
Microsoft Resource: https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903
Federal Trade Commission Resource: https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes