Password resets can be frustrating for end users. No one likes being interrupted with a “time to change your password” notification – and even less likes it when the new passwords they create are rejected by their organization’s password policy. IT teams share the pain, as resetting passwords via help desk tickets and calls to support is a daily burden. Despite this, it is generally accepted that all passwords should expire after a specified period of time.
Why is this so? Do you even need password expirations? Learn why passwords expire and why setting passwords to “never expire” can save some headaches, but isn’t the best idea for cybersecurity.
Why is our password expiring?
The traditional 90-day password reset policy stems from the need to protect against brute force attacks. Organizations typically store passwords as hashes, which are encrypted versions of the actual passwords created using cryptographic hash functions (CHFs). When the user enters their password, it is hashed and compared to the stored hash. Attackers trying to crack these passwords must guess the correct one by running potential passwords through the same hashing algorithm and comparing the results. The process can be further complicated for attackers by techniques such as salting, where random strings are appended to passwords before hashing.
Brute force attacks depend on several factors, including the processing power available to the attacker and the strength of the password. A 90-day reset period was considered a balanced approach to prevent brute force attacks without burdening users with too frequent changes. Advances in technology, however, have reduced the time it takes to crack passwords, prompting a reevaluation of this policy. Despite this, the 90-day validity period remains a recommendation in many compliance standards, including PCI.
Why did some organizations get rid of deadlines?
One of the main arguments against common password expiration is that it can lead to reuse of weak passwords. Users often make minor changes to their existing passwords, such as changing “Password1!” to “Password2!”. This practice undermines the security benefits of changing your password. The real problem here isn’t resetting passwords, but the organization’s policy of allowing weak passwords in the first place.
The biggest reason organizations choose passwords that don’t expire is to reduce the burden on IT and help desk. The cost and burden of password resets at IT Help Desks is significant. According to Gartner estimates, 20-50% calls to IT help related to password resets at each reset costs about $70 labor according to Forrester. This increases, especially when users often forget their passwords after being forced to create new ones.
So some organizations may be tempted to force end users to create one very strong password and then set passwords to never expire to reduce IT burden and reset costs.
What are the risks of passwords that never work?
Having a strong password and never changing it can give someone a false sense of security. A strong password is not immune to threats; it may be vulnerable to phishing schemes, data breaches, or other types of cyber incidents without the user’s knowledge. The Specops report of a compromised password found that 83% of cracked passwords met regulatory standards for length and complexity.
An organization may have a strong password policy in which each end user is forced to create a strong password that is resistant to brute force attacks. But what happens if an employee decides to reuse their password for Facebook, Netflix, and all the other personal apps? The risk of a password being compromised increases significantly, regardless of the internal security measures an organization takes. LastPass survey found that 91% of end users understood the risk of password reuse, but 59% did it anyway.
Another risk associated with passwords that do not expire is that an attacker could use the compromised credentials for an extended period of time. The Ponemon Institute found that typically an organization requires approx 207 days to detect the violation. While mandatory password expiration can be useful here, it is likely that an attacker would have accomplished their goals by the time the password expires. Therefore, NIST and other guidelines advise organizations to set passwords to never expire unless they have mechanisms in place to identify compromised accounts.
How to detect cracked passwords
Organizations should adopt a comprehensive password strategy that goes beyond simple expiration. This includes user manuals create strong passphrases at least 15 characters. Such a policy can significantly reduce vulnerability to brute force attacks. Encouraging end users to create longer passwords can also be achieved through length-based aging, where longer and stronger passwords can be used for a long period of time before they expire. This approach eliminates the need for a universal expiration date, as long as users adhere to the organization’s password policy.
 |
| Photoshow with stronger password generation and length-based retention |
However, even strong passwords can be compromised, and steps must be taken to detect this. Once cracked, the time to crack the password in the lower right corner of the table above changes to “instant”. Organizations need a joint strategy to ensure they protect themselves against both weak and cracked passwords.
If you’re interested in automatically managing all of the above with an easy-to-use interface in Active Directory, Specops Password Policy can be a valuable tool in your cybersecurity arsenal. Specops password policy with password protection service can constantly check and block using over 4 billion unique known cracked passwords. See for yourself in a live demonstration.
