Passwords: to change or not to change?

Weighing up the pros and cons of periodic password reset:

The National Institute for Standards in Technology (NIST) is considered the gold standard for researching and recommending cybersecurity standards. Organizations often look to them for advice when trying to align to digital identity standard. But what does NIST recommend for passwords? ?

The original NIST version in 2017 recommended organizations have a periodic password reset, but that has since changed. The latest NIST version no longer recommends periodic password resets but suggests organizations?focus on password length instead. ??

Despite this there is some debate around this topic, should organizations have periodic password reset, yes or no? Let’s discuss:?

Pros of periodic password reset:?

???If someone does have a compromised password and they don’t know, it will become invalid after that periodic window passes?

??? If you aren’t leveraging MFA and/or a password manager, having some security protocol in place like a password reset is better than nothing?

???A hacker may attempt to access your account more than once over a period of time. Changing your password often reduces the risk that they will have frequent access

???Can?reduce the likelihood that former employees will not have access to company systems

Cons of periodic password reset:?

?? The thinking is that when people must do a periodic password reset, they reuse the old easy, familiar password and just add or change something at the end of it ??

?? They will use something easy as their password because if it is too long and complex it will be hard to remember as well as annoying to type out multiple times a day?

?? Annoying to constantly have to change and think of a new password every 90 days ??

?? It can become dangerous if people are going to write their passwords down to remember them because of the periodic changes (especially if they're writing them in places that are not at all secure).?

?Conclusion

What is important is that all organizations, regardless of if you are in the pro or con category, have a strong password policy in place. Recommendations include:

? Set a standard policy regarding password length?

? Lock after a certain amount of failed log-in attempts?

? Do not recycle passwords across different accounts/applications (work and home)?

? If you suspect a breach or an unauthorized log-in, be proactive and change your password immediately

If you're confused about what steps you should take on your cybersecurity journey, reach out to us here.