For as long as corporate IT has been in existence, users have been required to change their passwords periodically. In fact, the need for scheduled password changes may be one of the most long-standing of all IT best practices.
Recently, however, things have started to change. Microsoft has reversed course on the best practices that it has had in place for decades and no longer recommends that organizations require users to change passwords periodically. Organizations are being forced to consider, perhaps for the first time, whether or not requiring periodic password changes is a good idea.
Microsoft password reset recommendations
According to Microsoft, requiring users to change their passwords frequently does more harm than good.
Humans are notoriously resistant to change. When a user is forced to change their password, they will often come up with a new password that is based on their previous password. A user might, for example, append a number to the end of their password and then increment that number each time that a password is required. Similarly, if monthly password changes are required, a user might incorporate the name of a month into the password and then change the month every time a password change is required (for example, MyM@rchP@ssw0rd).
What is even more disturbing is that studies have proven that it is often possible to guess a user's current password if you know their previous password. In one such study, researchers found that they were able to guess 41% of user's current passwords within three seconds if they knew the user's previous password.
While forced password changes can cause problems, not requiring users to change their passwords can also cause problems. As it stands today, it takes an organization, on average, 207 days to identify a breach (Ponemon Institute, 2020). With that in mind, consider how much longer it may take to identify a breach if users are not required to change their passwords.
A cybercriminal who has gained access to a system by way of a stolen password could potentially evade detection indefinitely.
Rather than simply abandoning the practice of requiring periodic password changes, it is better to address the underlying issues that tend to weaken an organization's security.
The biggest issue related to required password changes is that frequent password expirations lead to users choosing weak passwords, or passwords that are in some way related to their previous password. One way to avoid this problem is to reward users for choosing strong passwords.
Some third-party password management tools, for example, Specops Password Policy, are able to base a user's password reset frequency on the length and complexity of their password. Hence, users who choose strong passwords will not have to change those passwords as often as a user who chooses a weaker password.
Additionally, organizations should look for a password management solution that gives them the ability to block users from using passwords that are known to have been compromised. Compromised passwords are passwords that have been hashed and added to rainbow tables or to similar databases, thereby making it extremely easy for an attacker to crack the password regardless of its complexity.
While there are third-party vendors who maintain cloud-based lists of passwords that are known to be compromised, it is important to understand that Microsoft's Global Banned Password List is not a list of leaked passwords and does not fulfill compliance recommendations for a password deny list.
A second issue that is often attributed to password change requirements is that users who are forced to frequently change their passwords are more likely to forget their passwords. This leads to account lockouts and calls to the helpdesk. The best way to avoid this problem (and decrease your helpdesk costs in the process) is to adopt a self-service password reset solution that enables users to reset their own passwords in a secure manner.
Going forward, those organizations who wish to require password changes may have little choice but to adopt a third-party password management solution. Microsoft is removing its password expiration policy settings from Windows, starting with version 1903.
In spite of recommendations to the contrary, there are security advantages to requiring users to change their passwords periodically. The key, however, is to implement such a requirement in a way that does not inadvertently weaken an organization's security. With the password solution from Specops Software, organizations can block over 2 billion breached passwords. The solution can help organizations secure passwords when frequent password expirations are enforced.
