 |
Password resets may be annoying for end users. Nobody enjoys being stopped by the 'time to change your password' signal – and they appreciate it much less when the new passwords they construct are rejected by their organization's password policy. IT staff share the suffering, with changing passwords via service desk tickets and support calls becoming a daily headache. Despite this, it's usually recognized that all passwords should expire after a certain length of time.
Why is this the case? Do you require password expiries at all? Explore the reason expiries exist and why setting passwords to 'never expire' could save some difficulties, but not be the greatest choice for cybersecurity.
Why do we have password expiries?#
The conventional 90-day password reset policy originates from the requirement to guard against brute-force assaults. Organizations generally save passwords as hashes, which are jumbled representations of the original passwords computed using cryptographic hash functions (CHFs). When a user inputs their password, it's hashed and compared against the saved hash. Attackers seeking to break these passwords must guess the right one by putting probable passwords through the same hashing method and comparing the results. The procedure may further be difficult for attackers by methods like salting, where random sequences are added to passwords before hashing.
Brute-force assaults rely on various elements, including the processing power available to the attacker and the strength of the password. The 90-day reset interval was deemed a fair way to outperform brute-force attempts while not burdening consumers with too frequent modifications. Advances in technology, however, have lowered the time necessary to break passwords, requiring a re-evaluation of this strategy. Despite this, the 90-day expiration remains a recommended in many compliance standards, including PCI.
Why have certain organizations got rid of expiries?#
One of the primary reasons against frequent password expiration is that it might lead to the repetition of weak passwords. Users commonly make modest modifications to their old passwords, such as changing 'Password1!' to 'Password2!'. This technique compromises the security advantages of password updates. The main problem here however is not the process of changing passwords but rather the organization's policy that accepts weak passwords in the first place.
The larger reason firms have chosen for 'never expire' passwords is decreasing IT and service desk strain. The expense and stress of password resets for IT help desks are enormous. Gartner estimates that 20-50% of IT help desk calls are connected to password resets, with each reset costing about $70 in labor according to Forrester. This adds up, particularly since users routinely forget their passwords after being forced to establish new ones.
Some firms may consequently be tempted to compel end users into choosing one really strong password and then forcing the passwords to 'never expire' in order to save down on IT load and reset expenses.
What are the hazards with 'never expire' passwords? #
Having a strong password and never updating it could offer someone a false feeling of security. A strong password isn't immune to risks; it might be exposed to phishing attempts, data breaches, or other forms of cyber disasters without the user recognizing it. The Specops Breached Password Report shows 83% of passwords that were hacked fulfilled the statutory criteria for length and complexity.
An business could have a strong password policy where every end user is obliged to establish a strong password that's resistant to brute force assaults. But what happens if the employee chooses to reuse their password for their Facebook, Netflix, and all other personal services too? The chance of the password being hacked rises a lot, regardless of the internal security measures the firm has in place. A poll by LastPass indicated 91% of end users knew the danger of password reuse - yet 59% did it nonetheless.
Another issue with 'never expire' passwords is that an attacker might utilize a set of compromised credentials for a lengthy period of time. The Ponemon Institute discovered that it normally takes a company roughly 207 days to notice a breach. While enforcing password expiry might be advantageous here, it's probable that an attacker would have already accomplished their goals by the time the password expires. Consequently, NIST and other standards urge businesses to only configure passwords to never expire if they have procedures to detect compromised accounts.
How to identify hacked credentials#
Organizations must establish a complete password policy that goes beyond routine expiration. This includes advising users to build strong passphrases of at least 15 characters. Such a regulation may considerably minimize susceptibility to brute-force assaults. Encouraging end users to generate longer passwords may also be done via length-based aging, where longer, stronger passwords are permitted to be used for lengthier durations before expiring. This technique avoids the requirement for a one-size-fits-all expiration period, assuming users comply to the organization's password policy.
 |
However, even strong passwords may be hacked and there need to be mechanisms in place to identify this. As soon hacked, the cracking time for a password in the bottom right of the above table switches to 'instantly.' Organizations need a joined-up approach to make sure they are protecting themselves against both weak and hacked passwords.
If you're interested in controlling all of the above in an automated method from a simple-to-use interface inside Active Directory, Specops Password Policy might be a great weapon in your cybersecurity arsenal. Through its Breached Password Protection service, Specops Password Policy can continually examine and restrict the usage of more than 4 billion distinct known breached passwords. See for yourself with a live demo.