Even though people have been practicing good password etiquette for years – changing them periodically to avoid being hacked – researchers are finding that this might not be a good idea after all.
Honing in on Microsoft’s recent removal of a password-changing policy from its security baselines for customers and auditors, Ars Technica says that more and more people are moving away from the traditional “change your password every 30, 60, or 90 days” thinking. Aaron Margosis, an employee of Microsoft, even called this way of thinking an “ancient and obsolete mitigation of very low value.”
Companies like Microsoft are moving away from these kinds of policies because they influence employees to create weaker password choices; the more frequently employees are asked to change their password, the more an employee will choose a password that is easy to remember, which increases hacking risks. “Combined with super-fast graphics cards, the hackers can make huge numbers of guesses in off-line attacks, which occur when they steal the cryptographically scrambled hashes that represent the plaintext user passwords,” Ars Technica says. This is the case even if end users switch numbers with letters, like
Plus, policies that implore employees to consistently change their passwords don’t offer immediate security, either. “Passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy,” Ars Technica says.
Potentially better solutions:
While companies are gradually dropping these password practices, security is still needed to guard personal information. Some researchers suggest that companies take up other protection practices. For example, Margosis recommends enforcing banned password lists, which help users eliminate easy-to-guess passwords when changing theirs, and multifactor authentication, which requires users to provide proof that they are the authenticated users, such as answering privacy questions only that user would know.
Additionally, passwords themselves aren’t going anywhere, which means users should still create them wisely. For example, Ars Technica says that researchers have long recommended users create passwords that are “at least 11 characters long, randomly generated, and made up of upper and lower case letters, symbols…and numbers.” This makes passwords more difficult to remember, and tougher for hackers to crack.
Finally, large companies like Microsoft are implementing more strategic password policies, which can help them push back against auditors, who “often find companies out of compliance unless they have enacted password changes within a set amount of time.” These can serve as examples for smaller companies on what to do- or not do – as they edit their own password policies.