[Secure 101] Is It Really Safe to Change Passwords Every 90 Days or Regularly?

[Secure 101] Is It Really Safe to Change Passwords Every 90 Days or Regularly?

Traditional Idea: Users Should Change Passwords Frequently

In the digital world, protecting personal and corporate information security is a crucial aspect of our daily lives. Over the years, corporate security policies have often advised us to regularly change passwords, every 60 to 90 days, to ensure the safety of our online accounts. This concept believes that regularly changing passwords can prevent long-term unauthorized use of our accounts. However, this practice has some issues in today's security environment.

Problem of Frequently Changing Passwords

Frequent password changes lead users to choose simple, easy-to-remember passwords or to make minor modifications to existing ones, such as adding a number at the end or slightly changing the order of letters. In such cases, even with regular password changes, security is greatly reduced as simple or slightly altered passwords are easier to crack.

Moreover, to remember different passwords, users might write them down, increasing the risk of severe password leakage. Some might prepare 3-4 sets of passwords to rotate, which defeats the purpose of changing passwords.

The Burden on Corporate Organizations

Often, corporate security policies are designed just to comply with legal or audit requirements without considering practical operation. When the password change cycle comes around in large corporations, there can be a huge spike in password change requests, slightly impacting work productivity for that week.

Also, systems that lock accounts after multiple incorrect attempts can lead to a massive influx of help requests to the IT department at the start of the password change cycle, creating additional management issues for the organization.

New Idea 1: Strong Passwords

In recent years, the cybersecurity community has begun to question whether forcing users to regularly change passwords truly benefits information security. In 2017, the National Institute of Standards and Technology (NIST) in the USA advised against mandatory regular password changes. Instead, NIST recommends changing passwords only if they are known to be stolen and suggests using 'strong passwords' instead of frequently changing them.

A 'strong password' is hard to crack, typically consisting of 12 or more characters (some organizations require 16 or more), including uppercase and lowercase letters, numbers, and special symbols. A strong password should avoid any words found in the dictionary, personal information (like birthdays or names), or common password patterns (like 123456 or abcdef). For example, Pc29_hJ/EfuZ*3ao is a 16-character strong password.

By increasing the length and complexity of passwords, the time and resources needed to crack them are significantly increased, thus enhancing account security. Enterprises can consider using Single Sign-On (SSO) where a central employee system manages all employee passwords to meet the standards.

Password Managers

Another approach within organizations is the introduction of password managers like 1Password, Lastpass, or Passpack. These managers facilitate the management of multiple strong passwords and prevent users from writing down passwords. While there are concerns about password manager breaches, the general consensus is that the risk of content leakage from managers is not as high as using the same password across multiple sites, which could lead to a breach on one site affecting all.

New Idea 2: Two-Factor (2FA) or Multi-Factor Authentication (MFA)

In some cases, two-factor authentication (2FA) can be more effective and address concerns about password manager leaks. 2FA requires two forms of proof to confirm identity, such as a password (knowledge) and a mobile phone (possession), or a fingerprint (biometric). Thus, even if a password is stolen, the thief cannot truly access the account.

For more information on 2FA, please see: What are 2FA and MFA, Does my WebSite Need This?

New Idea 3: Passwordless Authentication

Widespread passwordless authentication methods include mobile app scanning, fingerprint or facial recognition, OAuth, or third-party authentication. The authentication methods used in 2FA and MFA, such as biometrics or USB keys, can also serve as primary authentication methods.

The main concept of passwordless is that by using an entity that has already authenticated your identity (such as a website, organization, or mobile device), this authentication is granted to another software or website that requires login, thus confirming your identity without re-entering username and password.

Common passwordless strategies include QRCode scanning or app scanning for login.

Conclusion: Enterprises Should Rethink Password Management Strategies

As cybersecurity concepts evolve, enterprises need to rethink their existing password management strategies. Over-frequent password changes are not a silver bullet for information security. Instead, we should focus on creating strong passwords and applying two-factor authentication when appropriate. Such strategies can ensure our online safety while reducing the burden on users.

UniAuth and LYRASOFT has extensive experience in website backend development and can implement systems such as SSO, OAuth, 2FA, MFA for enterprises. If your business has related needs, please feel free to contact us.