Our CEO, Ted Ross, originally wrote this post for VMblog.
Our prediction: security leaders will finally realize that periodic password changes aren’t precautionary; they’re precarious, frustrating for users and counterproductive for security.
The standard 90-day password change policy has long been an accepted industry best practice for keeping enterprise networks safe from harm. Only a small inconvenience to the user, changing login credentials at a regular frequency promised to provide protection from threats and breaches that could wreak havoc on business. While this approach may have kept criminals guessing in the past, continuing to rely on this dated approach to password management is detrimental to your security posture.
Today, the average internet user has logins for ~200 sites. It’s no surprise that most people just use the same (or a variation on the same) password across multiple sites and accounts. When users are put on the spot to come up with a new password every three months, the desire to reuse or tweak one from the past is understandably strong. The problem? The more often people change their passwords, the higher the chances of them using one that is already exposed. And criminals are waiting patiently to try their list of compromised passwords every ninety days – again and again until they successfully take over the account. Because of this, the forced 90-day password rotation actually plays into the hands of the criminal.
So, what’s the safe bet for the enterprise? Only force a password change when a user’s password has been compromised. Drop the regularly scheduled password changes and use SpyCloud’s automated ATO prevention product to securely check employee passwords against a corpus of exposed passwords (which grows daily). Using this approach, users will only be required to change passwords when necessary. It’s much less annoying than forced password rotation policy and it’s much safer.
“I love arbitrarily rotating my password,” said no one ever. And this year, we are finally seeing the policy being questioned. We expect that in 2020 we’ll continue to see enterprise security teams happily moving away from this decrepit security policy.