Requiring Periodic Password Changes Is (Probably) Still A Good Idea

There is growing momentum behind dropping the periodic password expiration requirement – generally 90 days.  The idea first gained widespread credibility when NIST updated SP 800-63 way back in 2017, advising against requiring password expiration policies.  In recent times, most of the security thought leaders seem to consider password change policies to be an outdated, cyber horse and buggy remnant of times gone by.  This week, Microsoft releases a blog post stating their intention to drop password the expiration requirement from the Windows 10 and Windows Server security baseline.

In concept, I agree with this guidance.  Troy Hunt gives a great enumeration of the many reasons here.  In practice, I have grave concerns with this approach.  I do want to make it clear that I think everyone should be using a password manager with strong, unique passwords for each service, and even better, using multi-factor authentication everywhere its supported.  If this were the default condition, I would have no objections to dropping password expiration requirements.  But alas, this is not the world we live in.

People are mentally lazy.  I don’t mean this in a derogatory way; I mean that our brains are hard wired to minimize the amount of effort we apply to any given task.  The net impact of dropping password expiration requirements is that some number of staff will adopt a single long and complex password that they will use everywhere.  As we have seen repeatedly and consistently over many years, internet-based services are a) terrible at storing passwords in a secure manner; and b) terrible at keeping their authentication database secure.  This inevitably sets up a situation where I create a complex password for work, with no intention or requirement to ever change it, then also use it on my favorite horoscope website (everyone needs a methodology for making security related decisions, right?).  My horoscope website is compromised and now my work password that never changes (probably along with my work email address) is out in the wild.

My main objection to dropping password expiration requirements is that it enables employees to use a “work” password everywhere, whereas it is generally infeasible to do so with a password expiration in place.  I have many other tangentially related concerns, many of which people who work in incident response will recognize: adversaries in a network are able to collect non-expiring credentials from obscure places, like old backups and documentation, and so on.  In my experience, these passwords are often already a problem because people will simply iterate some prepended or appended element of passwords (Password1, Password2, etc), which can often be easily guessed by a targeted intruder.

Like many good ideas (looking at you, Active Directory), the benefits arise from a certain ecosystem being in place.  Organizations often want to embrace the aspects of a new paradigm that they like, but not the parts that are inconvenient or expensive (see: my disdain for Active Directory).  There are ways to help mitigate this concern, such as periodically  comparing recently breached passwords to those used by employees and immediately disabling or changing any matches found.  However, much like properly securing Active Directory, nearly no one does this, instead taking the “quick win” of disabling password expiration because that is now industry best practice.