Ever-changing and complex is not the answer

Enforcing an expiring-password policy is not nearly as good as you might think. Several experts state that it has a direct impact on the password strength; Users forced to continously change them tend to give it less thought and chose unsafe and rememberability over strength. Rather, using lengthy, strong passwords and only changing them when necessary is the suggested approach.


Frequent password changes—Good or bad?

It is generally well-meaning when a password-expiration policy is implemented. After all, it’s common knowledge; An attacker with access to account details would be locked out once a password rotation occurs. What could go wrong? As it turns out, a lot.

Once we are forced to continuously change our passwords we tend to choose weaker passwords to make it easier to remember, among other things. This rings especially true with how many passwords the average user has to remember already. Several experts support this angle, with one of them being Carnegie Mellon computer science professor Lorrie Cranor. She stated back in 2016 that when we are forced to regularly change our passwords we don’t put a lot of thought into it.

The approach suggested by security experts, among them Karl Emil Nikka, is removing the expiring passwords altogether: Focusing on creating strong passwords and changing them only once concerns of attacks arise. According to Nikka the predisposition for expiring passwords is built on an old, and now redacted, recommendation from NIST.

What makes a strong password?

While on the subject of disrupting common beliefs, why stop with password expiration? For most of you a certain password probably pops up in your mind when you hear “good”; Containing tons of symbols and special characters and near-impossible to remember. Essentially, equating “good” with “complex”. However, this does not have to be the case.

For example, a password with the length of 10 only comprised of the letter a-z would give you 26^10 possibilites. Keeping at that length but adding the numbers 0-10 to the pool would give you 36^10 possibilities instead.

On the other hand, if you increase the length to 11 characters-even if you avoid adding numbers-the possibilities would increase by 14 trillion. The same applies to symbols; It is simply more efficient to increase the length rather than the letters and symbols used. It also makes the passwords easier to remember.

What is our advice?

Now we know that long, not overly complex passwords are the way to go. But what if you can’t remember it? A solution used by many which we personally recommend is the use of a password manager. This is a tool which generates strong passwords and remembers them for you, all the interaction you need is a master password. There exists a plethora of them so do your research and find which is best suited for your needs.

Finally, what if you run a business and want to know whether you’re at risk for attack and should force a password change? CYPRO recommends a SIEM, Security Information and Event Management, service; A platform which provides real-time analysis of security alerts on your network. If you’re curious, feel free to contact us!