Hot Take Everything I Thought About Password Expirations Is Correct (and the Experts Finally Agree)

lokamoka820

Level 23
Thread author
Mar 1, 2024
1,222
One of the most enduring pieces of password security knowledge is that frequent password changes boost security. At least, that's what IT teams around the world have pushed on folks for decades.

However, that advice has always met resistance, with many in security contending that it leads to poor password practices to tick the boxes while remaining memorable.

And now, research backs this theory up, illustrating that frequently changing a password leads to security issues.
 

Bot

AI-powered Bot
Apr 21, 2016
4,421
It's indeed true that frequent password changes can lead to weaker security practices. Users often resort to simpler passwords or minor variations of previous ones, which are easier to crack. Using a strong, unique password or a password manager is a more effective approach to ensure security. Thanks for sharing these useful links!
 
  • Like
Reactions: simmerskool

bazang

Level 7
Jul 3, 2024
337
"In reality, this leads to shortcuts when it comes to creating a password. Instead of creating strong, unique passwords that are difficult to guess, most opt for easy-to-remember passwords with small iterations."

This is a people problem. Not a password change problem.

People are always the problem. ALWAYS.

Enterprises easily circumvent people and the problems they bring by enforcing complexity and length password rules.

This research is nonsense. It blames the procedures and rules, when the people who do not follow those rules and procedures is to blame.

"Oh it is just too hard. We can't cope with changing our password." :ROFLMAO:
 

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,292
My company pushes this and I hate it. Every three months my password expires and I need to set a new one. Because of this, majority of colleagues never know their password. Some write it down in the notes app or on a piece of paper and keep it in their wallets. The rest regularly visits the IT which are certainly losing their heads over this, but hey, they implemented that measure, not us... 😁

And yes, because three months is relatively short period of time, we constantly set unsecure and easy to remember passwords (usually a name, numbers and a symbol). Recently, company started using 2FA (we're using Microsoft 365) and people are even more confused now. 95% of employees have no idea what 2FA is, all they know is they have an app with some kind of code which they don't know how to use. I thought we're gonna get rid of annoying password expire policy, but of course we didn't.
 
Last edited:

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
My company pushes this and I hate it. Every three months my password expires and I need to set a new one. Because of this, majority of colleagues never know their password. Some write it down in the notes app or on a piece of paper and keep it in their wallets. The rest regularly visits the IT which are certainly losing their heads over this, but hey, they implemented that measure, not us... 😁

And yes, because three months is relatively short period of time, we constantly set unsecure and easy to remember passwords (usually a name, numbers and a symbol). Recently, company started using 2FA (we're using Microsoft 365) and people are even more confused now. 95% of employees have no idea what 2FA is, all they know is they have an app with some kind of code which they don't know how to use. I thought we're gonna get rid of annoying password expire policy, but of course we didn't.

My employer had the exact same practice until recently, with minimum 8 character passwords for device logins. Now we have to use a minimum 15 character password for device logins, requiring change once/year. 15 character minimum for device login seems silly to me. Why not a shorter password requirement with an account lockout threshold and duration for a set number of failed attempts.
 

bazang

Level 7
Jul 3, 2024
337
My company pushes this and I hate it. Every three months my password expires and I need to set a new one. Because of this, majority of colleagues never know their password. Some write it down in the notes app or on a piece of paper and keep it in their wallets. The rest regularly visits the IT which are certainly losing their heads over this, but hey, they implemented that measure, not us... 😁

And yes, because three months is relatively short period of time, we constantly set unsecure and easy to remember passwords (usually a name, numbers and a symbol). Recently, company started using 2FA (we're using Microsoft 365) and people are even more confused now. 95% of employees have no idea what 2FA is, all they know is they have an app with some kind of code which they don't know how to use. I thought we're gonna get rid of annoying password expire policy, but of course we didn't.
The problem is not the password policies.

A password manager, along with MFA, should always be used and a requirement of employment (new hire & continuing) is that the employee has to prove they are competent in their use. The company should provide the training for employees who need it, but ultimately the employee has to prove they have a minimum competence using basic, expected cyber security practices. For any that keep contacting IT\sysadmin to fix login problems, IT\sysadmin should be instructed to report those individuals to human resources so a determination can be made as to what is going on with the people. Are they incompetent? Are they negiligent? Are they not following procedures? They do not know how to store a new password in a password manager?

Security is not software. It is a process.

My employer had the exact same practice until recently, with minimum 8 character passwords for device logins. Now we have to use a minimum 15 character password for device logins, requiring change once/year. 15 character minimum for device login seems silly to me. Why not a shorter password requirement with an account lockout threshold and duration for a set number of failed attempts.

The minimum secure password requirement length is 16 and it must allow all characters, capital, lowercase, numbers, and symbols that are in the ASCII BASIC set.

The key feature of password security is its entropy. Without sufficiently high entropy, the password can be easily brute force attacked or credential-stuffed.

Entropy increases with password length and increased, random use of all character types. Permitting ASCII Extended in passwords shoots the password entry through the roof. A 25 character length password with 160 entropy value will increase to between 200 and 300 simply by permitting ASCII Extended characters.

You know the really big hacks that get reported here and make people upset? Many of them are caused by the silly and stupid arguments against strictly enforced passwords and resets. If people would lose their jobs because they are not following security procedures, then that would create change.

Any company that uses weak password policies is making itself easily hackable, and all your data too. People are always the problem. ALWAYS.
 

Marko :)

Level 23
Verified
Top Poster
Well-known
Aug 12, 2015
1,292
The problem is not the password policies.

A password manager, along with MFA, should always be used and a requirement of employment (new hire & continuing) is that the employee has to prove they are competent in their use. The company should provide the training for employees who need it, but ultimately the employee has to prove they have a minimum competence using basic, expected cyber security practices. For any that keep contacting IT\sysadmin to fix login problems, IT\sysadmin should be instructed to report those individuals to human resources so a determination can be made as to what is going on with the people. Are they incompetent? Are they negiligent? Are they not following procedures? They do not know how to store a new password in a password manager?

Security is not software. It is a process.
I work in industry, and while I do use a PC at work, majority of my colleagues don't. It makes sense for me to have my account well protected because sometimes I use it to login on a PC. But, as I said, majority of my colleagues never use PC because they aren't doing job that requires it. In fact, all they have is a private phone with their work e-mail on it; which is used exclusively for getting company news and rare communication with other departments. Nothing else.

Now... is it really necessary, for those whose job doesn't include using a PC and only have basic e-mail address on their own phone used for non-important things, to have the same strong and complex security requirements as me? I really don't think so.

Talking with those people I found out that the most of them doesn't even use PC at home, some don't even own it. They just use phones/tablets and that's all they really need. So I think simple password and 2FA are more than enough for these accounts. No need to change the password every 90 days. In fact, even for an important accounts, password + 2FA is all you need.
 
Last edited:

bazang

Level 7
Jul 3, 2024
337
Now... is it really necessary, for those whose job doesn't include using a PC and only have basic e-mail address on their own phone used for non-important things, to have the same strong and complex security requirements as me? I really don't think so.
Studies have proven that security only works when everyone at a company is compelled to adhere to the same rules, regardless of job role, function, or whether they are members of management or non-management.

The number 1 requests for "Security Exceptions" (= not follow the rules) are made by executives, particularly CEOs and business owners. Why? Because they think they are so important that they should not have to follow the security rules.

Exceptions can work, as long as there is very active monitoring and governance. That, I know, is not done in 99% of businesses in existence - even in first world nations. It is absolute security chaos in nations where computer illiterate and even (reading) illiterate individuals are hired.

I would say in your employer's case, at the very least it can publish easily understood (written and printed for those who do not use a PC and online for those that do use a PC). Then however they decide to educate the non-PC users, it should be done on company time. The employee should be paid while receiving the training. They should also be given online videos for reference and be permitted to access them while on or off company premises.

A typical smartphone with only a company email feed can be secured by various methods - from simple to full hardening. However, I don't know enough about what is being used and configured to hazard a guess.

The whole "They wrote their password down and put it into their wallet!" just means they turned their physical wallet into a password wallet. If a user understands and creates a complex password (&8Ct%M00vQ), then writes it down, and puts it into their wallet, then that is more secure than "123MyName!".

The threat to email accounts is if they get breached, the attacker can take a look inside using various methods and can potentially figure out a way to get into the mail server, and from there explore lateral and vertical network\resource pivots. Or the attacker can use the compromised email account for all kinds of email-based attacks.

"We can't do this..." or "We can do this but it is very difficult..." or "We can do this but it will be costly out of proportion to the potential threat..." are all valid. That is what companies are supposed to do every quarter (every 3 months) - among a whole bunch of other GRC reviews.

I know one company that simply handles this kind of situation this way:

1. They use a random dice generator to generate a six word passphrases with a minimum of 6 letters per word.
2. They add non-alphabetic single characters to the beginning and end, plus use spaces (e.g. "7 Kantos Pilgrimage Diving Marooned Sapiens Vendetta @"
3. They call the employee and provide the passphrase via voice.
4. They instruct the employee to write it down and then place that in a secure location; they request (do not demand) that the employee not keep it at their desk, locker, carry it with them always, etc).
5. They request (do not demand) that the employee memorize the passphrase.6. Every year they have a random password verification test where the employee must input their password under observation at the company facility during regular work hours without a cheat sheet. If they do that, then they get 10 Euros added to their paycheck. This is done twice per year.
6. They reset the password every two years and follow this same procedure.

The employees want that extra 20 Euros because greater than 90% pass the password verification tests.

I know this because they asked me to solve their problem and this is what I came up with.

More importantly they use Microsoft Defender for Office 365 portal and other methods to probe and test the employees with potentially malicious emails. If the employee pool as a group scores better than 90% identification of potentially malicious emails, then they all get a 25 Euro bonus.

Mind you, this costs the company over 20,000 Euros per year just for the "bonus" payouts (does not include the costs of additional IT or support labor for the initiatives), but it reduces their security events, meets what is required by their cybersecurity insurance underwriter, keeps the insurance premium from being raised significantly, and meets various applicable regulations.

For first world companies, there are no excuses. The problem is a lack of willingness and an almost incomplete lack of security prioritization. Virtually all of them can afford to purchase and implement decent, if not moderate to highly robust security. The lack of willingness and prioritization of security is almost universally true of small businesses.

You know a 2 person biz a different beast than a 20 person operation. And a 20 person operation is a different beast than a 200 person small business. And a 200 person small business is a different beast than a 2000 person medium business. And so on.
 
  • Hundred Points
Reactions: oldschool

lokamoka820

Level 23
Thread author
Mar 1, 2024
1,222
"In reality, this leads to shortcuts when it comes to creating a password. Instead of creating strong, unique passwords that are difficult to guess, most opt for easy-to-remember passwords with small iterations."

This is a people problem. Not a password change problem.

People are always the problem. ALWAYS.

Enterprises easily circumvent people and the problems they bring by enforcing complexity and length password rules.

This research is nonsense. It blames the procedures and rules, when the people who do not follow those rules and procedures is to blame.

"Oh it is just too hard. We can't cope with changing our password." :ROFLMAO:
People not equal in their technology knowledge, I know some managers in IT sector that didn't use password managers ever, not for a security or privacy reasons but because they can't understand how they work, or they have fears to lost their passwords, so they still rely on memorizing their passwords or write them on a piece of paper, and remember: Old Habits Die Hard.
 

bazang

Level 7
Jul 3, 2024
337
People not equal in their technology knowledge, I know some managers in IT sector that didn't use password managers ever, not for a security or privacy reasons but because they can't understand how they work, or they have fears to lost their passwords, so they still rely on memorizing their passwords or write them on a piece of paper, and remember: Old Habits Die Hard.
Any IT manager who works in IT but cannot understand how a password manager works should be fired. Really. Not being able to understand how a password manager works either means either they didn't try or they cannot - and in either case they should not be working in IT - at least not as sysadmin. They'd be good as a wiring technician.
 

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
The minimum secure password requirement length is 16 and it must allow all characters, capital, lowercase, numbers, and symbols that are in the ASCII BASIC set.

The key feature of password security is its entropy. Without sufficiently high entropy, the password can be easily brute force attacked or credential-stuffed.

I'm only talking about password length on a physical device such as a laptop, in this case a COE laptop with Bitlocker-encryped full drive encryption. Is it not feasible to simply allow a shorter password length as long as 8 characters, with minimum requirement of at least one special character and and least one upper case character, as long as a policy is set to lockout of a threshold such as, for example, three failed attempts, for maybe one minute, be sufficient enough for security? I get it that online passwords for banking, for example, require a longer and more complex password along with 2FA is required because of off-line hacking attempts is required for better security, but for a laptop, this extra long password requirement should probably not be required. Am I wrong and if so, why?
 
  • Like
Reactions: simmerskool

bazang

Level 7
Jul 3, 2024
337
I'm only talking about password length on a physical device such as a laptop, in this case a COE laptop with Bitlocker-encryped full drive encryption. Is it not feasible to simply allow a shorter password length as long as 8 characters, with minimum requirement of at least one special character and and least one upper case character, as long as a policy is set to lockout of a threshold such as, for example, three failed attempts, for maybe one minute, be sufficient enough for security? I get it that online passwords for banking, for example, require a longer and more complex password along with 2FA is required because of off-line hacking attempts is required for better security, but for a laptop, this extra long password requirement should probably not be required. Am I wrong and if so, why?
It all depends upon what is on a device, how valuable what is on that device is to a person or entity, and the risk that a device will be lost or stolen, and then end up in the hands that have the skills and resources to attempt to determine the login password.

Most people are going to say "I don't have anything of real value on the device." In that case, they don't even need a login password. The choice is theirs.

People who are attracted to places such as MT, have a proclivity to be paranoid and protect their systems like they possess the world's nuclear launch codes. Are their actions proportionate to the risks? Nope.

When it comes to Windows login passwords my immediate question is "Why are you not logging on using a PIN or Windows Hello?"

I also remind people from first world nations that their understanding of IT security and device handling practices is very different in second and third world nations. It is not at all unusual to have a device passed-around and used by many people in some parts of the world. I bet they either all use the same password & account or use no login password at all.

However, in the commercial and government industry sections, using low-quality security measures such as short passwords is fertile territory for regulatory, civil and criminal negative consequences. This is what I was referring to regarding password standards and practices.
 
  • +Reputation
Reactions: wat0114

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top