Memo: Stop periodic password changes

Requiring users to change passwords periodically may encourage them to create less secure passwords. It may have worked 20 years ago, but it doesn’t work anymore. Stop it. Just stop it.

According to cybersecurity firm SecureState, password complexity policies combined with password aging policies consistently lead, on large systems, to a predictable percentage of passwords chosen by users to serve as seasonal mnemonics, e.g., Spring2017 or January18!.

Periodic password changes mitigate only a small number of risks. Those risks can be more effectively mitigated by other controls, including two-factor authentication.

Check out Aligned Risk Management’s Secure Passphrase Generator.

Cybersecurity research indicates that password aging policies provide only minimal security benefit because users will predictably create new passwords that can be easily guessed by an attacker who knows the old password.

“We believe our study casts doubt on the utility of forced password expiration. Even our relatively modest study suggests that at least 41% of passwords can be broken offline from previous passwords for the same accounts in a matter of seconds, and five online password guesses in expectation suffices to break 17% of accounts.”

Yinqian Zhang, Fabian Monrose, and Michael K. Reiter. The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis.

A number of security experts have begun expressing skepticism about the utility of mandatory password changes, including Lorrie Cranor, Chief Technologist at the Federal Trade Commission, and Bruce Schneier, board member of the Electronic Frontier Foundation.

“But my favorite question about passwords is: ‘How often should people change their passwords?’ My answer usually surprises the audience: ‘Not as often as you might think.’ […] [U]sers who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.”

Lorrie Cranor. Time to Rethink Mandatory Password Changes.

“The downside of changing passwords is that it makes them harder to remember. And if you force people to change their passwords regularly, they’re more likely to choose easy-toremember – and easy-to-guess – passwords than they are if they can use the same passwords for many years. So any password-changing policy needs to be chosen with that consideration in mind.”

Bruce Schneier. Changing Passwords.

Latest NIST standards no longer recommend periodic password changes.

“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

National Institute of Standards and Technology. NIST Special Publication 800-63-3: Digital Identity Guidelines.