We’ve all been there – you log into a website and are met with a message indicating you must reset your password before accessing the account. The cynic might assume the company was hacked. Otherwise, what is the point of a mandatory password reset?
The simple answer is that companies take password security seriously, as pilfering login credentials provide cybercriminals with easy access to sensitive or proprietary information. In the past, companies have forced periodic resets to follow best practices. Previously, experts advised updating credentials every three months, partially because that’s how long it took a computer to ‘crack’ the average password hash. Times have changed as cyber threats continue to evolve, and companies need to realize it is possible to force password resets too often.
That’s not to say there are no legitimate reasons for companies to implement mandatory password updates. Some companies regularly scour troves of leaked or breached credentials for those that match their customers’ and subsequently force a password reset just for the affected users. According to Brian Krebs, online enterprises want to thwart “credential-stuffing attacks” in which attackers try to use one company’s credentials to log into other online properties.
Now, what about site-wide resets when a company wasn’t breached? Those against this idea, including former Chief Technologist of the Federal Trade Commission Lorrie Cranor, argue that individuals may create weaker passwords as replacements, undermining the reason for resetting the password in the first place. A 2010 study published by researchers from the University of North Carolina at Chapel Hill explored this very topic, assessing the viability of password expiration by examining passcodes of individuals at the university. Researchers Yinqian Zhang, Fabian Monrose and Michael Reiter found that users responded to the university’s three-month password expiration policy by following an algorithmically predictable pattern. Users only slightly changed their passwords, thus casting doubt on forced password expiration.
Last year, my firm conducted a Password Security and Data Privacy Survey which alarmingly revealed that a majority of the 1,000+ adult respondents were more concerned about a criminal gaining access to their personal email than their company account. This tells us employees do not value their sensitive work data as much as their personal data, putting their companies at risk through poor cyber hygiene.
The security world is adapting: last year, Microsoft dropped its password-expiration policy, no longer recommending forced periodic password changes. The National Institute of Standards and Technology issued guidelines in 2017 for password management, noting that industry best practices now call for fewer password changes. It is in a company’s best interest for employees to keep their strong password than begrudgingly switch to a weaker one. Experts are even starting to discuss alternatives to passwords, such as biometric authentication, biological measurements used to identify individuals, or microchipping.
In the meantime, to deal with what Forrester calls “a necessary evil,” my advice is simple, and something you have probably heard before: use unique, complex passwords for all your accounts, in combination with multi-factor authentication when possible. I will concede that remembering passwords for all of your accounts is neither convenient nor practical. After all, the average business employee has almost 200 passwords they must keep track of, according to LastPass. The most efficient solution is to use a password manager, such as LastPass or 1Password, which generates and stores complex passwords in an encrypted database.
Furthermore, avoid sharing your passwords, logging onto secure websites over public Wi-Fi, or using your name or repetitive sequences in your password. (My firm discovered a 41-Gigabyte dump of stolen passwords in December 2017, and as expected, the top five passwords were ‘123456,’ ‘123456789,’ ‘qwerty,’ ‘password’ and ‘111111,’ respectively.) Lastly, invest in an identity theft solution provider that can notify you when your credentials or other personally identifiable information is exposed and circulating in underground markets.
Changing your password for the sake of changing your password is an outdated practice that could do more harm than good. Monitor your accounts carefully, remain vigilant and if you notice suspicious activity, act. An arbitrary number of days shouldn’t determine when an update is needed.