It's time to stop asking users for periodic password changes

Image: Santeri Viinamäki [CC BY-SA 4.0], via Wikimedia Commons

Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation.

Microsoft is the latest enterprise to get on board with this idea, calling the concept of monthly/bimonthly/quarterly password changes "ancient and obsolete".

To this day, password management remains the least-loved aspect of my job as a SysAdmin. In a world of password managers two-factor authentication, and complex "suggested passwords" by browsers, asking users to change passwords frequently is the one task that virtually guarantees a support request. Why? The password is used on multiple devices, or the forced change came at a time where the user had to write it down, or other inconvenience that, in practice, seems only to complicate the security process, rather than actually improve it in any meaningful way.

The same researchers have warned that mandating password changes every 30, 60, or 90 days—or any other period—can be harmful for a host of reasons. Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.

Besides, as Cory has mentioned, two-factor authentication and security keys are quickly showing us how much of a "game-changer" these tools can really be, offering real defence against both past and present security attacks. Nevertheless, this practice remains common in many IT departments. It's time to let it go.

Microsoft says mandatory password changing is “ancient and obsolete” [Ars Technica]