For decades, it was common practice for organizations to require employees to change their passwords on a regular basis, typically every 60 or 90 days. However, the National Institute of Standards and Technology (NIST) revised its guidelines several years back and no longer recommends periodic password changes as an effective security measure.
NIST is a non-regulatory agency of the United States Department of Commerce that develops and promotes standards and guidelines to improve information security. In 2017, NIST released its password management guidelines, including several changes from previous recommendations. One of the most notable changes was eliminating the requirement for periodic password changes.
This may be old news to many of you, especially among cybersecurity professionals. Yet many organizations, perhaps unknowingly, persist with this practice.
The rationale behind this change is based on several factors. First, NIST recognizes that requiring users to change their passwords frequently can lead to password fatigue, resulting in users creating weak or easily guessable passwords. Users may resort to using simple patterns or predictable variations on their previous passwords - making them easier for attackers to crack - if forced to create a new password every 60 to 90 days.
Furthermore, the cost and inconvenience of frequent password changes can be significant. Whenever a user is required to change their password, they must remember a new password and update it across all the systems and applications they use. This can lead to frustration and decreased productivity, especially if the user must remember multiple passwords.
Another issue with frequent password changes is that they do not necessarily improve security. If a user's password has already been compromised, forcing them to change it regularly will not prevent an attacker from continuing to use that password. Instead, it can give the user a false sense of security, leading them to believe that their accounts are more secure than they are.
Recommended by LinkedIn
NIST recommends that organizations only require password changes in situations where there is evidence of a compromise or if there is suspicion that a password has been stolen or leaked. In these cases, a password reset can be an effective security measure. However, NIST advises that password resets should be accompanied by other security measures, such as two-factor authentication or an account lockout policy, to ensure that the user's account remains secure.
Instead of requiring frequent password changes, NIST recommends using long, complex, and unique passwords. Passwords should be at least eight characters long, preferably longer, and should include upper and lowercase letters, numbers, and special characters. Users should be encouraged to create passwords that are easy to remember but difficult for others to guess.
Another key recommendation from NIST is the use of password managers. These tools can help users create and manage strong, unique passwords for all their accounts. A password manager can also help users avoid password reuse, a common security risk. By using a different password for each account, users can reduce the impact of a data breach or password leak.
In addition to these recommendations, NIST also advises organizations to implement other security measures to protect user accounts, such as multi-factor authentication and account lockout policies. Multi-factor authentication requires users to provide additional proof of identity, such as a fingerprint or SMA passcode, in addition to their password. Account lockout policies can prevent attackers from brute-forcing their way into an account by locking it after several failed login attempts.
NIST's change in password management recommendations reflects a growing recognition in the cybersecurity community that frequent password changes may not be an effective security measure. Instead, organizations should promote using strong and unique passwords, the utilization of password managers, and implementing additional security measures to protect user accounts. By adopting these best practices, organizations can improve their security posture and reduce the risk of a data breach or password leak.
