The Password Is Dead

Frequent password changes... They're sooo 2017.

I've been guilty of giving the old "change passwords frequently" advice. The notion that individuals should frequently change passwords has been a long-standing cybersecurity practice.

Make them strong and unique and have one for every service and account you create.

So you now have 47 different strong and unique passwords you can't remember.

As the digital landscape evolves and threats become more sophisticated, it's time to challenge conventional password wisdom.

The NIST (The National Institute of Standards and Technology, the body behind multiple industry-standard cybersecurity frameworks) NIST says periodic password changes are counter-productive, as users tend to set weaker passwords to remember them better. This use of powerless passwords only stands to compromise the security of an organization.

In addition, Microsoft, SANS, and many other security organizations agree that frequent password-changing policies do more harm than good.

Not only do users create weak passwords, but they also create variations of the same old weak password, which any halfway decent black hat hacker could easily figure out.

Your old password is likely available on the dark web and can be used as a starting point for testing variants. Hackers can easily spot patterns in how you change passwords, which makes their nefarious work easy. The more times one changes a password, the greater the chance that one or more of those old passwords will be found out.

"Do not require passwords be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise," said the NIST in its 2017 Digital Identity Guidelines.

The Evolution of Password Policies

Let's backtrack a little. The recommendation to change passwords emerged from a well-intentioned security strategy. The idea was to reduce the risk of unauthorized access by creating ever-changing credentials that hackers presumably can't keep up with.

The Flaws in Frequent Password Changes

1. Predictable Patterns: As mentioned above, when individuals change passwords regularly, they tend to follow predictable patterns. For example, they may make minor alterations to existing passwords (e.g., "Password123" becomes "Password124"), which cybercriminals can easily predict and exploit.
2. Password Fatigue: Frequent password changes often lead to "password fatigue" among users. When people are inundated with the need to remember numerous complex passwords and change them regularly, they are more likely to choose easily guessable passwords or write them down, undermining security.
3. Complexity vs. Usability: The push for increasingly complex passwords can result in strings of characters that are challenging to remember. Users often resort to using the same password across multiple accounts or storing them in insecure locations.
4. Lack of Targeted Protection: Frequent password changes may not effectively address the root causes of breaches. Many cyberattacks, such as phishing or malware, do not rely on password guessing but instead target user behavior and system vulnerabilities.

The Role of Strong Authentication and Policies

Instead of focusing solely on password changes, a more effective strategy involves implementing strong authentication methods. Here are some key elements of this approach:

1. Multi-Factor Authentication (MFA): MFA combines something you know (e.g., a password) with something you have (e.g., a mobile device or smart card) and something you are (e.g., biometrics). This provides an additional layer of security far more robust than password changes alone.
2. Zero Trust Policy: The latest cybersecurity darling is a modern-day cybersecurity strategy based on the principle "never trust, always verify." It assumes everyone is a cybercriminal until proven otherwise.
3. Behavioral Analysis: Advanced security systems can analyze user behavior and flag anomalies. For example, if a user suddenly attempts to access sensitive data from an unusual location, the system can trigger additional authentication or block access until the user's identity is verified.
4. Continuous Monitoring: Rather than relying on periodic password changes, continuous monitoring of network traffic and user activity can detect and respond to threats in real time. Suspicious activities can trigger immediate alerts and actions.
5. Password Managers: Implementing reputable password managers can help users create and manage strong, unique passwords for each account without the burden of memorization.
6. Education and Training: Security Awareness Training (SAT) can significantly reduce the risk of falling victim to common threats like phishing, which do not rely on password changes but rather manipulate user behavior.

Are Passwords Really Dead?

Not entirely. Passwords remain an essential part of digital security; their effectiveness is greatly enhanced when used with other security measures. However, it's more of a corporate mindset issue. Your boss or bank believes frequent password changes are all that's needed to keep you or the organization safe from threats.

However, that's an outdated belief. Insider threats within an organization, such as employees, contractors, or business partners, can take various forms, from intentional actions like data theft or sabotage to unintentional actions caused by negligence or ignorance. This negligence or ignorance includes antiquated password policies and the frequent change of passwords.

It's time to shift our focus from the archaic notion of frequent password changes to a more comprehensive and user-friendly approach that reflects the realities of today's digital landscape.