Password Update Policies
Creating new passwords for organizations and financial websites periodically is a familiar practice. This recommendation was made for many for many years, but this changed. Many organizations failed to keep up with current recommendations that discourage such policies. Use this article to encourage your IT department or financial institution to update its approach to password security. If you need assistance with resetting passwords on a phone or mac, you can schedule a help session here at MacEdge.
Initial Reasoning
There was merit to the initial rationale behind password update policies. If an attacker stole a password database or decrypted passwords, they would work for only a limited period. But this lessens the risk of unauthorized access. Even if an attacker had gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.
Security experts realized the problem was less about much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them. Often perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.
New Understanding
The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. These recommendations speak against password update policies. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily.” In a FAQ, NIST explains:
“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.”
If there is evidence of unauthorized access or a breach of the password database, passwords should be invalidated. At that point all users should be required to create a new password immediately. that’s entirely different than requiring passwords to be changed on a schedule.
Other Findings
NIST does not recommend password composition requirements—such as requiring the password to contain a letter, number, and special character. This is because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Use password managers to create both types.
Generate new strong passwords with a password manager if you are forced to change a password. This eliminates the need to memorize the new password. Aim for longer passwords if you must remember and type manually. Use passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. Choose words for your password from categories with many possibilities. If your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both passwords are strong in their own right, but only you know the categories used for each portion.