The general rule of thumb in security is to have users reset their passwords every 60 or 90 days. If you're a user who logs into a network every day, you're probably familiar with the notification that you must change your password. If you're an IT administrator, you are probably faced with determining the right time interval to satisfy security standards without interrupting user productivity. A recent study (
Download Study) shows that frequent password changes can actually harm security rather than help it.
Why Force Password Changes?
Before you understand why frequent password changes are harmful, first you should understand the foundation for making it a security standard.
You might think that forcing password complexity is enough, but phishing attacks have been a growing concern for security experts. Hackers have found that sending targeted emails to key personnel can give them full access to the network. In some cases, the hacker can actually gain administrator permissions on the network.
Even the most complex password won't defend against a phishing email should the user fall for the attack. However, forcing frequent password changes will limit the amount of time the hacker can log into the network. Once the password is changed, the hacker can no longer access resources. It stops unlimited access to the network, which is a critical security flaw. It also stops hackers from selling the password on the dark web and giving network access to any buyer including competitors.
Frequent password changes essentially lock out attackers who have only a maximum of 60-90 days to collect and steal data. This seems like a long time, but it does cut down on increased damage from unlimited access.
So Why are Frequent Password Changes Bad for Security?
When users are forced to change their passwords frequently, they tend to use the same one with one or two characters changed. For instance, a user with the password "
h0la111#" will likely change the password to something similar such as "
H0la111#" or "
hoLa111#". When they are forced to change the password, they again use the same pattern. This pattern can be detected and emulated using computer algorithms.
For instance, suppose your user falls for a phishing email or the password hash is stolen from an external database. Password crackers are used to determine the plain text version, and then algorithms can be used to determine a pattern should the attacker get several of the user's passwords. Artificial intelligence has strengthened in the last few years, so algorithms are getting much better at determining patterns in user behavior. This is one example of such a pattern.
With a pattern determined, an attacker can then attempt to log in using possible password variations.
What's the Solution?
You can't stop employees from using a pattern, but you can educate them on the dangers of phishing and exposing passwords to outsiders. You can extend the frequency that users have to change their passwords, but this is generally considered bad for security.
A good compromise is to lengthen the amount of time the user must change their passwords. Instead of 30 or 60 days, extend it to 90 or 120. Educate users to create unique passwords without a pattern, and provide them with documentation and training on the red flags of phishing and social engineering.