Do you hate changing passwords? [heads nodding] Does it seem like your company forces you to change your password every other week? [heads nodding; tempers rising] Well good news, the National Institute of Standards of Technology (“NIST”) says you don’t need to change your password until it is compromised, which is like saying you don’t need to lock your door until a burglar has robbed you. Now isn’t that nice.
All joking aside, this article in CSO Online (Chief Security Officer) raises the question What should your company’s change password policy be? It seems that Microsoft is following NIST’s lead and removing its default 45-60 day password reset requirement from Windows. Of course, that may not actually impact you because, as the article points out, guidance for your friendly neighborhood regulator may conflict with NIST’s suggestion. Most companies are unlikely to eliminate the requirement to change your password, but we may see an increase in the amount of time between changes.
The information security part of your company’s compliance policies and procedures address this topic and your director of information technology or chief compliance officer is unlikely to blindly follow NIST’s lead. Occasionally changing your passwords seems like a good idea even if there’s little data to support it; who wants to be the person to recommend never changing your password when it seems like some part of our digital life is compromised weekly. But changing passwords too frequently results in over-reliance on the same passwords. What’s the best frequency? I don’t know, but Mr. Grimes, the author, suggests that the average is 90 days. Certainly that’s enough time for you to think of a new one, right?
From a data security perspective, it’s still a good idea to require routine password changes because we often don’t know if a password is compromised until it’s too late. A better practice is to move away from 8-12 character passwords with their devilish requirements (e.g., must include a number, must include a special character, cannot include spaces, please don’t use your birthday or the birthday of anyone in your family, etc.) and use passphrases, which are longer and, therefore, compound the complexity of the lock.
But the article also warns about certain trends that all users should know about. For example, don’t use the same passphrase (or password) on multiple sites or applications; otherwise, a data breach creates contagion. And don’t just add a number to the end of your password and increase the number by one every time you update it. Consider using biometrics if permitted by your device or a password manager that great random, complex passwords (but protect that vault with your life, and your best passphrase). You should also practice good password husbandry on you mobile device. If you find that you’ve been using the same four number key for a decade now, and you spouse, children, parents, etc., all know it, then it’s probably not safe; especially after your eight year old shares it with half her class.
Passwords may seem like a silly thing to spend your time and effort on, but in our increasingly digital world, passwords are like keys in our physical world. But unlike the keys in your pocket, your passwords are often stored on servers and sticky notes that are not closely guarded. All the more reason to update your digital locks on occasion; preferably before you are robbed.