Regular Password Change is out

«Please change your password» - who doesn't know it, the regular request to choose a new password by day X that pops up every 3 months, every six months or every year?

What is interesting about this request, which is still sent out in many companies, is that such a periodic change actually makes no sense at all. As early as August 2017, it was reported in the media that Bill Burr, one of the first authors of password guidelines, now regrets his advice to change passwords regularly (read here).There was a reason for this change of mind. What is recommended today for the secure handling of passwords, you will learn in this short article.

What is the problem?

When users are regularly «nagged» with reminders to change their password, this leads many of them to frustration and an urgent desire to change their password as quickly as possible to prevent further prompts. As a result, they choose simple and short new passwords that differ only minimally from the previous password and that they can easily remember - for example, according to the current season: spring2023, summer2023, fall2023, winter2023, spring2024, and so on.

This is not in the sense of the inventor and IT security! The problem was quickly recognized as a result. In the well-known IT security frameworks, the recommendations for changing passwords have long since been adapted accordingly. For example, the US authority NIST advises deactivating the function that controls the expiration of passwords ( Standard SP 800-63B Section So how should companies today ensure that their employees' accounts are safe and secure?

How to make accounts safe

The best solution is to set a very secure password from the beginning, which meets the defined complexity guidelines. Instruct users in advance in detail how to create strong passwords, making it clear from the start that this password will not need to be changed until further notice. This assurance that the effort is worthwhile motivates users to actually choose a unique and good password. One approach, for example, is passphrases: In this case, users think of a phrase or word structure, such as doctorglassthumbneedlethread. The easiest way to remember this is to think of a story to go with it.

In some circumstances, it may make sense not to set the complexity standards too high to allow users to choose a secure password that they can still remember.

As soon as the deadline for setting a secure password in accordance with the company's specifications has passed, the first thing IT should do is check whether all employees have complied with this request in the desired manner. You can use technical options to automatically test and confirm whether the passwords actually meet the security requirements.

If the selected passwords meet the security requirements, employees can use them indefinitely.

Exceptions from the rule

In fact, there are situations in which it is imperative that all users change their passwords, even if they are secure according to policy. This is the case, for example, when there is even the slightest suspicion that a cyberattack may have compromised IT security. If this is the case, the security of the passwords can no longer be guaranteed, and it is essential that all users change their passwords as soon as possible. Accounts of users for whom this is not possible due to vacations, illness or other absences should be deactivated immediately until the password change can be performed.

What about «shared» accounts?

Shared accounts are another exception. In principle, the rule is: «Shared accounts do not exist!», because shared accounts should be avoided at all costs! If this is not possible for a valid reason, the password must be changed regularly without exception. Even if a person who has access to the shared account leaves the organization or takes on another function internally, a password change is called for!

The password change policy is just one of our security tips. In our House of IT Insights you will find many other tips on the subject of cybersecurity and the secure handling of your company data.

If you have any further questions on the subject of IT security, our IT security consultant, Marius Dubach, will be happy to provide you with a personal consultation.

Marius Dubach, IT Security Consultant

+41 61 500 16 15