Quick Links
One of the most enduring pieces of password security knowledge is that frequent password changes boost security. At least, that’s what IT teams around the world have pushed on folks for decades.
However, that advice has always met resistance, with many in security contending that it leads to poor password practices to tick the boxes while remaining memorable.
And now, research backs this theory up, illustrating that frequently changing a password leads to security issues.
Frequent Password Changes Lead to Poor Security
Many of you will have been there: the dreaded enforced password change every four, six, or eight weeks. Pushed down by an IT team, the idea is that changing your password renders any security breaches moot, as everyone is using a fresh password.
In reality, this leads to shortcuts when it comes to creating a password. Instead of creating strong, unique passwords that are difficult to guess, most opt for easy-to-remember passwords with small iterations.
For example, a strong password with 16 characters may read “hS’9{yX?Fzu#=_:R”, containing a mixture of upper and lower case letters, numbers, and symbols. It’s difficult to remember, but in time, you’ll get it.
Whereas if you have to change your password every month, you won’t have time to remember this. Hence, folks begin using easier to remember phrases with small iterations.
- Month 1: difficultpassword1
- Month 2: d1fficultpassword2
- Month 3: d1ff1cultp4ssword3
And so on.
Choose a Strong, Unique Password (Or Use a Password Manager)
The UK’s National Cyber Security Centre has advised against forcing regular passwords since 2015, and now, in 2024, the National Institute of Standards [PDF] is following suit.
Its new advice recommends password expiration every 365 days, drastically changing the timeframe—and boosting security.
At the same time, NIST is also updating its messaging on password lengths and strength. In some scenarios, password creation rules limit users to 12 characters, or certain symbols cannot be used. Now, NIST advises that all passwords should be:
- A minimum of 15 characters
- Up to 64 characters
- Include all ASCII characters, the space character, and Unicode characters
The changes mean more password entry fields will allow stronger and easier to remember passphrases (up to the limit), while overall password strength is also boosted.
Of course, any organization that cares about password security should allow the use of a password manager. There are additional security considerations associated with using a password manager, such as storing data locally, zero-knowledge encryption, and so on, but it’s the best way to protect all of your accounts with a strong password.
