Sikov -


Why it's time to expire mandatory password expiration policies

Password expiration policies that force users to regularly reset passwords are counterproductive. It's time to align those policies with proven approaches to password security.

Organizations that enforce a password expiration policy need to face facts: Password expiration policies are great security theater, but they do more harm than good.

A password is a shared secret used to authenticate a user. In technical terms, this shared secret serves as a "what you know" authentication factor. If you know the account password, the system authenticates you and grants access to the account. For many users, password security is the most visible aspect of cybersecurity they encounter on a regular basis.

How can organizations protect against cybercriminals who guess or otherwise gain access to account passwords? The well-worn solution, as old as multiuser mainframes, is to use a password expiration policy to force user accounts to change their password after a specific number of days, weeks or months.

In the early days of multiuser mainframe computing, a password expiration policy was good enough protection. The policies set password length and password age to reflect how long it would take an attacker to crack system passwords. Then, as now, mandatory password expiration could call for new passwords anywhere from once a year to once every 30, 60 or 90 days. A password with six alphanumeric characters was likely long enough to protect it from brute-force attacks on early mainframes. This was considered sufficient to protect against a cyber attack.

Evolution of password policies

That same six-character password, however, can now be cracked in real time -- or close to it -- with commercial off-the-shelf computer systems and freely available software. As it became easier to break six-character passwords that could be as simple as "123456" or "ABCDEF," experts began adding to an ever-expanding set of tactics for making passwords harder to crack. More accelerated password expiration dates were also adopted, increasing the number of password resets from once a year to four, six or even 12 times a year. Over time, tactics such as the following addressed ways to make passwords harder to guess:

  • Be mindful that longer is stronger. Eight-character passwords are judged to be stronger than six-character passwords because they have more unique combinations of valid password characters.
  • Make it look random with more valid characters. If users select passwords that contain many different types of characters, it makes the task of the password cracker more difficult because many more unique combinations must be cycled through in a brute-force attack. This rule focuses on permitting the use of symbols and punctuation, as well as numbers and uppercase and lowercase letters. More types of characters mean requiring the use of at least one -- or two or more -- of each of the groups of permitted characters. This manifests in password policies such as this: "Passwords should be comprised, at minimum, of a mix of three out of the following: uppercase and lowercases characters, numbers and special characters -- where allowed."
  • Change passwords faster than they can be cracked. This strategy is effective when a password is cracked and exploited undetected. In theory, the attacker would only have use of the password for the password's remaining lifetime but lose access after the password expiration date.
  • Impose further restrictions. These can include limiting the use of patterns, repeating characters, and incrementing or decrementing counters in passwords. These approaches make it more difficult to create predictable passwords, which is a problem for users who need passwords that are easy to remember. Organizations aiming to improve password security with these tactics also must track password history and compare old passwords to new passwords, as well as verify that new passwords comply with the password policy.

Fast forward to today, and only the first of these tactics -- longer is stronger -- still works reliably. The rest have been proven to not do much to improve password security.

Length is strength holds true

In 2017, NIST released guidance on mandatory password policies that reflected the new reality: An exploited password file can now be cracked in hours rather than weeks or months. Changing passwords every 90 days could leave an exposed password usable by an attacker for up to three months. NIST maintained it was far better to require passwords be changed immediately when an exploit has been detected, rather than requiring changes four times a year, even with no detected risk. If a strong password never expires -- and the password is never compromised through theft or attack -- the user never has to change that password.

As for the password itself, longer is better. Complexity is not an issue: A 12-character password consisting only of letters and numbers is stronger than an eight-character password with restrictions on the exact attributes that would make a password easy to remember.

Other previously effective password security tactics -- making passwords more complicated and mandatory 30/60/90-day password changes -- all reduce security, while increasing security theater.

What works for password security

The new consensus on password-changing policies is that they are unnecessary. Even the most rigorous password change policies don't delay determined password crackers. Frequent changes mean users often resort to unsafe practices to remember those passwords, including the following:

  • Writing the password down on a Post-it note left in easy and open view.
  • Using predictable passwords, such as new passwords where some of the characters are reused, with a letter or number that changes in increments with every new password. If an old password, such as [email protected]:002, is cracked from a prior attack, six months later, the hacker can guess that the same user ID will be using the password [email protected]:003 or [email protected]:004.
  • Reusing passwords. If the system owner mandates that none of the last five passwords can be reused, a user can go through the process of changing to a new password six times to be able to reuse the password. Users seeking to simplify their lives are generally more motivated than those tasked with enforcing mandates like this.

To improve password effectiveness, it is better to develop and deploy appropriate password guidelines, while focusing more resources on issues like the following:

  • making sure sensitive systems require stronger passwords;
  • limiting user permissions to reduce the impact of password exploitation; and
  • focusing on cybersecurity efforts to track password vulnerabilities, as well as to detect password exploitation.

Organizations can best improve password protection by strengthening password management workflows and enabling users to change their own passwords through automated password change systems.

Modern guidelines for secure password policies

Passwords are the historically accepted mechanism for user authentication, even though they are increasingly not fit for that purpose. Modern authentication and password management best practices focus on the following:

  • encouraging users to pick long and strong passwords;
  • supporting users in protecting those passwords; and
  • requiring users to reset passwords after the detection of a password attack.

Multifactor authentication (MFA) is also increasingly included in the user authentication process. Since MFA may be seen as a burden by users -- especially those who have been struggling with mandatory password resets -- removing mandatory password resets can take the sting out of MFA deployment.

Next Steps

Top password hygiene tips and best practices

How to create a company password policy, with template

Construct a solid Active Directory password policy

This was last published in October 2022

Dig Deeper on Identity and access management