Changing your passwords frequently sounds like commonsense advice, and has served as conventional wisdom in computer security for a long time. However, just because something is common doesn’t mean it makes sense.
In fact, many experts believe forced, arbitrary password expiration actually does more harm than good. And with the recent news that Microsoft will end password expiration in its baseline settings for Windows 10 and Windows Server, the chorus to end this longstanding security practice is getting louder.
“Periodic password expiration is an ancient and obsolete mitigation of very low value,” Microsoft wrote in a blog post announcing the change. “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.”
Microsoft’s change follows a rather dramatic — but easily missed — special publication on password best practices from the National Institute of Standards and Technology (NIST) in 2017. It made the same recommendation: “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)” unless there is evidence of compromise of the authenticator or a subscriber requests a change.
Turns out, passwords don’t spoil the way meat or bread does; they don’t need a “sell by” date.
Password Expiration Doesn’t Always Lead to Password Security
On the surface, forced password expiration seems to make sense as a security standard. After all, passwords get hacked all the time. With gigantic lists of compromised credentials floating around the internet, it can seem logical to force users to consistently change their login information in an attempt to stay one step ahead of threat actors armed with cracking lists.
But more than a decade ago, researchers began to openly question this idea. Gene Spafford at Purdue University called it “infosec folk wisdom” way back in 2006.
The case against password expiration goes like this: If an admin has reason to believe that an employee is using a password that is compromised, changing that password every 90 days isn’t nearly good enough — that password needs to be changed immediately. But if there is no known threat associated with the credential, they why fix what isn’t broken?
The “why not” argument is even more persuasive. In theory, frequently changed passwords that are hard to crack are very safe. In practice, users who are forced to endure this ritual simply come up with shortcuts that make life easier for them, as they always do. Their passwords follow patterns such as “HardToGuessPassword1,” then “HardToGuessPassword2,” “HardToGuessPassword3” and so on.
In short, passwords become easier to guess as time goes on. This cringe-worthy, but common, user habit is known as creating transformations.
Dan Clements is a security expert who spent years building a database of compromised credentials from big hacks that eventually swelled to more than 1 billion records. He said he saw this all the time when he browsed his data.
“People just added numbers to the end. When they were forced to use an uppercase letter, you saw people capitalize the first letter,” Clements said. “When they had to add a symbol, they used an exclamation point as the last character. They’d extend it out three or four more digits to fit a 14-character requirement. You always saw passwords that were just tweaked. It went on forever.”
Time’s Almost Up for Password Expiration Policies
It seems like research criticizing expiration policies has gone on forever too. Back in 2010, a group of researchers at the University of North Carolina examined a large data set of passwords and found that knowing a user’s old password made it trivial to hack into their accounts. For nearly 1 in 5 accounts they studied, starting from an old password, they could guess a user’s current password in fewer than five tries.
Password expiration may be a well-intentioned policy, but its usefulness has long since expired. When NIST published its password standards in 2017, the organization noted the importance of balancing usability and security in setting password standards. After all, most users are just trying to find a way to get their work done.
“Evaluating the usability of authentication is critical,” NIST wrote.
Microsoft’s announcement was met with approval by many analysts. Avivah Litan, vice president and distinguished analyst at Gartner, said it was a “most welcome step.” However, old habits die hard. She said many corporations continue to ignore this new advice.
“I don’t see enterprises making any shift at all away from passwords, nor counterproductive password management policies that include imposing frequent password changes and password complexity on their users,” Litan said.
It might be easier to let go of this bad habit by implementing the good habits that NIST and other institutions recommend:
- Banned password lists, with special attention to known compromised passwords;
- Restrictions on sequential and repetitive characters, and on context-specific passwords;
- The ability to use special characters, but no requirement to use them;
- Multifactor authentication (MFA); and
- Detection of credential-stuffing attempts.
Users Have to Request a Change
Change is hard; Microsoft noted in its announcement that many IT managers cling to password expiration because their auditors demand it, since aggressive expiration helps check a box in audit reports. Ultimately, Litan thinks most corporations won’t make the switch until users demand it, because they have come to enjoy freedom from password expiration as consumers at home.
“I don’t expect to see much change in the enterprise space until [this] starts to take hold in the consumer market,” she said.