News

IT Policy: How Often Should You Change Your Passwords?

Specify Alternate Text

Anyone who's ever created a login has no doubt bumped up against seemingly arbitrary and annoyingly complex password composition rules. For digital citizens, one of the most frustrating hoops to jump through is the forced inclusion of special characters. But wait, not THAT special character… or that one… or that one… or that– okay, a dollar sign is fine. But only for this account and 90 days from now when we force you to change your password it won't be.

Enter, The National Institute for Standards and Technology (or NIST, for short) — the agency responsible for developing a standardized password policy for the whole of the U.S. government and public sector. (For the private sector, adopting each set of new guidelines is entirely voluntary, but historically the majority of companies have chosen to do so in order to remain at the cutting edge of security best practices. We have!)

When NIST released its updated password guidelines last year, they carried a radical new recommendation:  go easy on the end user. Put the burden on the verifier instead. (The "verifier" is the service someone is trying to log into)

As word of this change spread, you could almost hear web admins across the country drop a collective "&%#@_!" en masse. But, far from the taboo those six symbols might suggest, security experts were opting to follow the letter of the NIST's new guidelines:  Stop imposing these burdensome and overly complex password composition rules on digital users altogether.

And so, quite literally, a few choice special characters were dropped overnight… right off the list of those you're not allowed to use in a password.

While this reversal of policy might seem surprising to some, if not counterintuitive, the reasoning is sound:  password complexity rules are counterproductive. They create a false sense of security, and in terms of today's computing power are largely unsuccessful.

As Randall Munroe, author of the popular webcomic XKCD, puts it:  "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess." See below.

What Makes For A Successful Password Policy?

Success means something different to everyone, but in terms of a company-wide password policy, it should really mean one thing:  it's user-friendly and secure. In the race between security and simplicity, human nature will always win out. Don't worry though, that's not cynicism. It's science! (Neuroscience, to be exact.)

Simply put:  our brains are hardwired to take the path of least resistance. What's easier than checking 5,459 unread emails? Not checking them. What's easier than forcing yourself to remember 100 different logins for as many different services? Remembering only five and then writing them all down on a sticky note so you don't have to remember them after all.

Science!

Put even more simply:  when password policies are too burdensome, it leads people to engage in self-defeating security practices. Here are a few fan favorites:

  • Using simple phrases such as "letmein" or the evergreen "password."
  • Using easily decrypted letter or number patterns like "1234567" or "qwerty."
  • Using the same few passwords over and over again, thereby leaving financial and work accounts vulnerable to attacks.
    • Did you know:  The average American internet user has 5 distinct passwords, 150 online accounts, and registers a mean of 40 sites to a single email address. It's true! (It's also terrifying.)
  • They store passwords insecurely, either by plopping them an Excel spreadsheet (easily located), scrawling them on a piece of paper (easily read), or dumping them in a folder not-so-cryptically named Passwords (easily hacked; hat-tip, Sony Pictures circa 2014).
  • When required to change passwords arbitrarily (e.g. every 90 days), they only change one character:  iliketurtles1  iliketurtles2.
  • All of the above.

A successful company password policy keeps these practices in mind. It understands and accepts that human nature will always attempt to undermine it, and it takes the necessary steps to close these fallibility gaps before they're ever opened by educating and empowering users with a better understanding of how passwords work.

Rules for Empowerment (Or, How To Create Unbreakable Passwords)



  Under the new NIST guidelines, the way to empower users to create unbreakable passwords is straightforward:  promote the use of passphrases over the use of traditional passwords.

Considering this, here are some suggestions on "do and don'ts" :

DO:  Put friendliness first. Encourage employees to create multi-word or at least longer passwords that are reasonable to remember but harder to hack. Avoid asking them to jump through complex hoops that only provide the illusion of security.

DON'T:  Allow easy. People often choose passwords that are predictable, and that reference something in their lives that others may know. These might be birth dates, street names, pet names, child or other family names, etc. If someone in your life could reasonably guess your password, a hacker can crack it just as fast (if not faster). Ask employees to think a little outside the box when coming up with a new password or passphrase.

DO:  Bigger is better; longer is stronger. User passwords should really be a minimum of 8 characters long, and according to NIST, verifying systems should now accept a minimum maximum of at least 64 (not always the case in the private sector). Best practice is to use as many characters as is reasonable. The more characters, the more exponentially difficult the password is to hack.

DON'T:  Allow users to create password hints. If you have control over this option, it is always smart to disable it. Sometimes you don't have control, in those cases strongly suggest that your employees refrain from using this function.

DON'T:  Force users to change their passwords arbitrarily. Arbitrary expiration is counterproductive, and makes it more difficult for users come up with effective and memorable passwords. Some systems have this function built in and it is unavoidable. But when and where it can be controlled, the only time someone should reset their password is if they have forgotten it, been phished, or if your company has (or has potentially had) a security breach of some kind.

DO:  Push for passphrases. While well-known song lyrics or other common word groupings are an obvious no-no, people can be pretty creative when they're given free reign to develop something memorable. Take icannotrememberthepassword, for example. It's amusing, it's unforgettable, and it has 99.7 bits of entropy. (but probably don't use that exact one)

At the end of the day, although the burden of verification should ideally be placed on the verifying system, it's not always that simple and it is important for both employees and employers to take responsibility of their password practices. By developing password policies that are human-friendly, a business can empower its employees to craft passwords that will stand up to even the most stubborn hackers. Security will naturally follow, and if your organization still needs help with its security policies, our engineers are always here to help.

Contact JNT TEK for an evaluation of your IT policies and find out how you can make your company more secure.

GET A FREE JNT TEK ASSESSMENT