Time to Rethink Mandatory Password Changes

Dr Irving Hofman

The conventional wisdom regarding password policies is obsolete. The United States Institute for Standards and Technology (NIST) is currently formulating new guidelines that are definitely worth a look.

Many of the guidelines are common sense within the realm of traditional policies we are all used to. However, others may surprise you. I will highlight a couple of interesting items. It's worth spending the time to improve your password policy as the payoff can be huge for very little investment.

Size Matters

A simple but very long password is far superior to a complex but short one. I recommend a password length of at least 16 characters. To make the password easy to remember, simply use a passphrase. A passphrase is just a sequence of words, e.g. "Long computer passwords are better than short ones". To make the password even harder to hack, insert few extra spaces in the middle of longer words, e.g. "Long comp uter passw ords are bet ter than short ones".

Some other tips when selecting a passphrase:

  • Don't use a famous quotation from literature or the movies.
  • Make sure it's hard to guess by intuition, but still easy to remember and type accurately.
  • Use different passwords for each system

No Forced Password Expirations

This is my favourite piece of the NIST guidelines. If we want users to use long passphrases, then we shouldn't make them change their password just for the sake of changing them. Changing passwords achieves very little, yet it frustrates the end user to no end. The reasoning here has all got to do with something called entropy. If you're interested in the mathematics behind this, there's a great research paper here: http://www.cs.unc.edu/~fabian/.... It's a sad truth, but dumb policies over the years have resulted in us successfully training everyone to use passwords that are hard for humans to remember but easy for computers to guess.

When users are forced to change passwords, they typically just follow a predictable pattern such as incrementing a number, adding or deleting a character, swapping the order of digits, etc. This was studied in detail by researchers in this paper: https://www.cs.unc.edu/~reiter...

Passwords should only be changed when they are forgotten, if they have been compromised due to a phishing attack, or if the password database has been stolen/hacked. Changing them for the sake of changing them does not increase password entropy and offers no security benefits.

Those interested in the NIST guidelines, can view them here: https://pages.nist.gov/800-63-...