Is mandatory password expiration helping or hurting your password security?

For decades cybersecurity professionals held tight to the idea that passwords needed to be changed on a regular basis. In recent years, however, organizations such as NIST and Microsoft have abandoned this longstanding best practice and are now recommending against mandatory password expiration.

The case against password expiration

Microsoft lists two main reasons why scheduled password expirations should be avoided.

Fast-acting criminals won’t be deterred by your 90-day change policy

First, the company argues that scheduled password changes do little to prevent an intruder from gaining access to a victim’s network because threat actors almost always make immediate use of compromised passwords.

In many ways, password theft is like credit card theft. When a criminal steals a credit card number, they know that they have a very limited amount of time before the card is reported to be stolen and is deactivated. As such, they will typically use a stolen card immediately. Password theft works the same way in that threat actors are anxious to exploit stolen credentials before compromised accounts are deactivated or passwords are changed.

End-users are tired of the needless change of a perfectly good password

The other reason that Microsoft cites in their recommendation against scheduled password expirations is that when users are forced to periodically change their passwords, they are much more inclined to use passwords that are both insecure and predictable.

This idea is based on a 2009 study by the University of North Carolina at Chapel Hill. Since most networks are configured to lock accounts after a small number of incorrect password guesses, researchers wanted to determine if it was possible to create an algorithm that could correctly guess passwords in five or fewer guesses, using one of a user’s previous passwords as a starting point.

The study found that when users are forced to periodically change their passwords, they often resort to using transformations rather than using an entirely new password. These transformations might involve replacing a character with a symbol (for example, using a dollar sign instead of the letter S) or incrementing a number to the end of the password.

By examining thousands of password histories, researchers were able to determine the types of transformations that users most often resorted to using. They then used this information to create an algorithm that has a high probability of being able to guess a user’s current password based on a previous password in five guesses or less.

From Microsoft’s perspective it is far better for a user to create a strong but unchanging password than to simply create a password that barely adheres to the organization’s minimal password requirements and then make small changes to that password each time that the organization requires the password to be changed.

What About Other Password Security Guidelines?

Although NIST and Microsoft don’t recommend mandatory scheduled password changes, not everyone is convinced. The payment card industry for example, requires any organization that accepts credit card payments to comply with PCI DSS standards.

PCI DSS 4.0, which goes into effect when PCI DSS version 3.2.1 is retired in 2024, still requires scheduled password changes. The 4.0 version of the PCI DSS standards require organizations to use passwords that are at least 12 characters in length (with some exceptions) and that passwords be changed every 90 days.

The best of both worlds

The fact that Microsoft and NIST recommend against mandatory password expirations while other industry standards such as PCI still require them clearly indicates that there is no clear-cut answer to whether forced password changes are a good thing. But what if there were an in between option?

Length-based password aging to the rescue

Specops Password Policy supports length-based password aging, which may be the happy medium that organizations are looking for. The basic idea behind this feature is that an organization can make it so that users who create strong passwords are rewarded with less frequent password changes.

On the surface, it might initially seem as though length-based password aging does not entirely solve the problem. After all, even a user who creates a super strong password is still going to be required to change that password at some point and will presumably resort to using password transformations rather than creating an entirely new password. However, length-based password aging can be used in conjunction with the Specops’ dynamic feedback feature, which collectively solves the password transformation problem.

End ambiguity with dynamic feedback at password change

Specops dynamic password feedback feature guides the user through the password reset process, showing them exactly what is required in order to satisfy the organization’s password requirements. This gives the organization an opportunity to create a policy that prevents the use of common password transformations.

If for example, a user’s original password was MyP@$$w0rd1, then then a password policy could prevent the user from changing the password to something like MyP@$$w0rd123, MyP@$$w0rd2, or MyPa$$word1. Because the policy blocks the user from using common transformation patterns, the user is forced to adopt a completely new, and secure password.

An example of dynamic feedback at password change for an end-user with Specops Password Policy

Additionally, the dynamic feedback feature guides the user through this entire process and shows the user exactly what is required thereby helping to eliminate ambiguity and its resulting user frustration.

The goal here is to combine a strong password policy with an end-user reward system, keeping your stronger password for longer, and adding in a deterrent of minimal password change all without additional onus on the IT team. After all, if password feedback exists at password change you can cut down on all those helpdesk calls asking for help.