Security News

<< Next Post - Previous Post >>

The problem with password expiry

When it comes to password expiry, different companies have different policies.
Whilst the current industry standard is 90 days, a lot of companies do enforce a lower 30 days period or anything in between 30 and 90 days.
If you ask the users, they do not tend to be happy with changing passwords often and even at all (are you?)

The problem with changing passwords often is that, unless you are using some kind of password safe with random generated passwords, users tend to just change a letter or number at the end of their password (1, 2, 3 or 2019, 2020, etc.), chose another weak password all together or write it down somewhere.
And if users do that, then changing their passwords often does not improve your security posture.

We therefore advise not to go lower than 90 days when it comes to password expiry, in fact when it comes to authentication security, we would highly recommend that you enforce dual factor authentication through SMS or App for sensitive accounts (admin, key staff), this would only have a minimal impact on how people access their account in most cases.
Furthermore, the industry is leaning towards a … non expiry password! More and more companies have realized the risks associated with expiring passwords too often and none other than Microsoft seems to be taking that stance! (maybe in a timid way)
You can read a white paper from Microsoft on that topic here (from 2016!):


To conclude, passwords should indeed be changed when compromised (leaked, shared, etc) or not following a strong password policy. In some cases there might even be a regulatory requirements to expire passwords after a set amount of time (PCI DSS). However, you should also consider the security and operational benefits of using non expiry passwords, especially when combined with dual factor authentication and monitoring/alerting on suspicious logins.

<< Next Post - Previous Post >>