To Beef Up Cybersecurity, Say “No” to Mandatory Password Expiration

Cybersecurity professionals have recommended changing passwords on a regular basis for decades. Now, however, organizations such as NIST and Microsoft have abandoned the practice of mandatory password expiration. Microsoft lists two reasons for avoiding scheduled password expirations. First, scheduled password changes do little to prevent an intrusion as threat actors almost always make immediate use of compromised passwords. Second, users are more inclined to use passwords that are insecure and predictable when they are forced to periodically change them. A 2009 study by the University of North Carolina at Chapel Hill found that when users are forced to periodically change their passwords, they often just transform the old one rather than using an entirely new password.

There is another solution. Specops Password Policy supports length-based password aging, which rewards users who create strong passwords with less frequent password changes. Length-based password aging can be used in conjunction with the Specops’ dynamic feedback feature, which prevents the use of common password transformations and forces the user to adopt a completely new and secure password. The goal is to combine a strong password policy with an end-user reward system that keeps the stronger password longer, and adds a deterrent to minimal password change.