603-766-3343 sales@www.macedge.com

Password Update Policies

Often you have to create a new passwords for organizations and financial websites periodically. This practice recommended by many for many years, but things have changed. Organizations haven’t kept up with current recommendations that discourage such policies. You might use this article to encourage your IT department or financial institution to update its approach to password security. If you need assistance with resetting passwords on a phone or mac, you can schedule a help session here at MacEdge.

Initial Reasoning

The initial rationale behind password update policies has merit. If an attacker was stealing a password database or decrypting passwords, they would work for only a limited period. This lessens the risk of unauthorized access. Even if an attacker had gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them. Often perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

New Understanding

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. These recommendations speak against password update policies. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily.” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

If there is evidence of unauthorized access or a breach of the password database, passwords should be invalidated. At that point all users should be required to create a new password immediately. that’s entirely different than requiring passwords to be changed on a schedule.

Other Findings

NIST does not recommend password composition requirements—such as requiring the password to contain a letter, number, and special character. This is because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Use password managers to create both types.

Use a password manager to generate and enter a new strong password if you are forced to change a password. This eliminates the need to memorize the new password. Aim for longer passwords if you must remember and type manually. Use passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. Choose words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both passwords are strong in their own right, but only you know the categories used for each portion.