Password Policy Revisited – Should Passwords Expire?

Password Policy Revisited – Should Passwords Expire?

For years, the conventional wisdom in computer security has been to force users to change passwords every few months. The thought was that if a password were compromised, then an attacker would only have access to that password for a limited amount of time. In fact, our own article on password policy from a year ago recommended this approach.

Since then, though, several notable authorities have come out against password expiration. NIST Special Publication 800-63B on Digital Identity Guidelines was the first to do so, back in 2016. But just in the last month or two, Microsoft has updated their security guidance to recommend against password expiration. A draft Security Baseline for Windows 10 1903 and Windows Server 1903 embraces these changes, as does the Office 365 Password Policy Recommendations page.

So, the question is: Is removing password expiration right for your organization? And what additional steps should be taken to ensure password security?

Why You Should Get Rid of Password Expirations

The idea of password expiration is based on a few assumptions that are either flawed or no longer valid. The first has to do with password guessing. Years ago, it might take a computer several months to crack an eight-character password. So password expiration was thought of as a way to mitigate that threat. Nowadays, it might only take a few minutes, or less if it’s a commonly-used password.

Second, if an attacker has a password, it’s likely that he’ll be able to use that password to gain other ways to access the system. Even if the compromised credentials are his only way in, there is still plenty he can do with just a few hours of access. So clearly, it’s much more important to keep attackers from compromising authentication in the first place.

Third, password expiration reinforces bad user behavior. Many users simply increment a number in their password, or use a common formula to generate their password. If an attacker can figure that out (which they will), then it doesn’t make a difference how often the password is changed.

Better Ways to Improve Security

The NIST and Microsoft recommendations mentioned above don’t just say “forget password expirations”. Rather, they recommend other ways to mitigate the risks involved with password authentication.

First, you should consider making two-factor authentication mandatory. 2FA adds an extra layer of security by requiring that the user enter a code from a trusted device in order to log in. Even if an attacker gets ahold of a password, it is unlikely that they will also have access to the “second factor”, making a breach less likely.

Second, users should be educated on how to create secure, memorable passwords. Also, users should be reminded not to use the same password that they use for other online services -- their work password needs to be something completely different than the others that they use.

Third, passwords should be checked against a database of commonly used or easily guessable passwords. This will go a long way toward cutting down on insecure passwords, and will let you know which users need more training on the above points.

Next week, we will cover one way to sniff out insecure passwords in your Active Directory. Stay tuned!


E-N Computers is an IT services provider helping businesses in Maryland, Virginia and Washington D.C. keep their networks secure. Contact us today to find out how we can help protect your company from the latest threats.