Chris Ostertag

Chris Ostertag

Broadcast engineer by day, tinkerer by night. But also broadcast engineer by night because TV happens at night too.

Password Expiration Policies Don't Work

a stock photo of a combinatino lock laying on a laptop keyboard

It seems some auditors are still asking organizations to rotate passwords periodically in the name of “current industry standard.” Below are some resources that you can use to show that arbitrary time-based password expiration is no longer best practice and hasn’t been for some time. Are there cases where you might want to still implement such a policy? Sure! But it is not, by any means, a universal standard that all organizations will benefit from.

NIST

NIST, the organization that most of these audits peg their rules to, revised their guidance at least two years ago to no longer recommend periodic password changes: https://pages.nist.gov/800-63-FAQ/#q-b05

SP 800-63B Section 5.1.1.2 paragraph 9 states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

Microsoft

Microsoft changed their guidance on the topic in 2019: https://learn.microsoft.com/en-us/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903

Federal Trade Commission

In 2016, the FTC highlighted research that shows that mandatory periodic password changes do not improve security and may even harm it: https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes

National Cyber Security Centre

The UK National Cyber Security Centre likewise changed their policy recommendation to discourage periodic password changes: https://www.ncsc.gov.uk/collection/passwords/updating-your-approach