The Password Is Dead
Kelly Reeves
I help entrepreneurs build a profitable business with proven messaging & marketing strategies.
Frequent password changes... They're sooo 2017.
I've been guilty of giving the old "change passwords frequently" advice. The notion that individuals should frequently change passwords has been a long-standing cybersecurity practice.
Make them strong and unique and have one for every service and account you create.
So you now have 47 different strong and unique passwords you can't remember.
As the digital landscape evolves and threats become more sophisticated, it's time to challenge conventional password wisdom.
The NIST (The National Institute of Standards and Technology, the body behind multiple industry-standard cybersecurity frameworks) NIST says periodic password changes are counter-productive, as users tend to set weaker passwords to remember them better. This use of powerless passwords only stands to compromise the security of an organization.
In addition, Microsoft, SANS, and many other security organizations agree that frequent password-changing policies do more harm than good.
Not only do users create weak passwords, but they also create variations of the same old weak password, which any halfway decent black hat hacker could easily figure out.
Your old password is likely available on the dark web and can be used as a starting point for testing variants. Hackers can easily spot patterns in how you change passwords, which makes their nefarious work easy. The more times one changes a password, the greater the chance that one or more of those old passwords will be found out.
"Do not require passwords be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise," said the NIST in its 2017 Digital Identity Guidelines.
领英推荐
The Evolution of Password Policies
Let's backtrack a little. The recommendation to change passwords emerged from a well-intentioned security strategy. The idea was to reduce the risk of unauthorized access by creating ever-changing credentials that hackers presumably can't keep up with.
The Flaws in Frequent Password Changes
The Role of Strong Authentication and Policies
Instead of focusing solely on password changes, a more effective strategy involves implementing strong authentication methods. Here are some key elements of this approach:
Are Passwords Really Dead?
Not entirely. Passwords remain an essential part of digital security; their effectiveness is greatly enhanced when used with other security measures. However, it's more of a corporate mindset issue. Your boss or bank believes frequent password changes are all that's needed to keep you or the organization safe from threats.
However, that's an outdated belief. Insider threats within an organization, such as employees, contractors, or business partners, can take various forms, from intentional actions like data theft or sabotage to unintentional actions caused by negligence or ignorance. This negligence or ignorance includes antiquated password policies and the frequent change of passwords.
It's time to shift our focus from the archaic notion of frequent password changes to a more comprehensive and user-friendly approach that reflects the realities of today's digital landscape.