The end of password expiry

Changing passwords is no longer advised by CESG and Barry Scott says businesses should be encouraging users to think about how passwords are used and adopt additional security that works in tandem with passwords.

Barry Scott, CTO EMEA, Centrify
Barry Scott, CTO EMEA, Centrify

The practice of changing passwords periodically has been a common security measure recommended by IT and security professionals for many years. This exercise of scheduled password changes has primarily been adopted as a means of preventing hackers from gaining access to personal accounts.

However, a recent report ‘Password Guidance – Simplifying Your Approach' from the UK government's National Technical Authority for Information Assurance (CESG), advises organisations on how to protect their information and has suggested that regular password changing harms, rather than improves, security, believing it places an additional burden on users.

Whilst the report makes some valuable suggestions and recommendations on password practices, the comments regarding the frequency with which we change our passwords, suggesting it “carries no real benefits” puts into question the security of passwords and how best to manage them.

While we all agree that passwords in themselves are highly insecure, and poor password practice can compromise systems, the suggestion of not implementing a password expiry policy is probably heresy to many IT security professionals.

The practice of enforcing regular password change came in many years ago - in fact, having a password change policy used to be one of the first things checked by auditors when they came to visit. However, times have changed, and so has the way we work.

With the many ways we use the internet, it's easy to find ourselves repurposing passwords and considering some less important than others. However, all passwords are valuable and can allow attackers to gain access to intellectual property, and it is important to avoid the common mistakes that give these individuals the opportunity to access your information and exploit your personal data.

There are numerous pro and cons, and do's and don'ts of password security. Whilst passwords are easy to implement, do not require any sophisticated hardware and are generally easy to use, they can also be easily forgotten or written down (therefore highly insecure), easily targeted through brute force attacks, sniffed or captured by hardware or software keyloggers, and often repurposed across different accounts, making the risks of hacking that much more probable.

So, should we force users to change passwords, and if so, how often?  It's not an easy question to answer and the industry seems divided in its opinion – for some, requiring people to change them often is bad, as it may encourage poor password choices and re-use of passwords on different sites, while others suggest it should be monthly or more for access to corporate applications and systems.

In a recent Centrify survey, it was alarming to see how much password sharing between employees happens – often to enable a colleague to do work they can't usually do from their own account. Regular enforced password change would help ensure the person the password is being shared with would be unable to log in if they leave the company, albeit there would be a window of time when they still could.

Similarly, if the user sharing the password leaves and de-provisioning processes are lax, then password expiry may help stop them gaining access to resources after they've gone (although, again, this isn't foolproof).

It's true that changing passwords frequently does put pressure on users who are forced to think of new ones – and then remember them. The problem really is not the person, of course, but the password. We know it's time for change, we understand that passwords are the source of too many data breaches, and we know they are ill-equipped to protect us and our information in today's online world.

Whilst the value of strong passwords is well known, most organisations have password policies in place, defining password length and the frequency with which users must change their passwords. Businesses should be encouraging users to think about how and why they use passwords, and suggest additional security that will complement and work in tandem with their passwords. 

There are many alternatives for securing and authenticating people, such as using multi-factor authentication, biometrics and implementing single sign on (SSO) to avoid users having multiple passwords and usernames. We should be educating users so that they recognise that whilst changing passwords is important, it isn't the only solution. We should be changing the way we view, use and manage our passwords.

Contributed by Barry Scott, CTO EMEA, Centrify