Mandating password change is a common feature in many corporate password policies, yet advice over whether or not this is beneficial to organisations has changed over the years. As with many security policies, there are both benefits and drawbacks to mandating password expiry – here we explore the pros and cons, and determine whether it is still an effective policy to mitigate cyber risk.
Primarily, changing passwords attempts to protect organisations from cyberattacks that make use of credentials that have been compromised in previous data breaches. When passwords are stolen in breaches, they are often sold or leaked on the dark web, with cybercriminals able to use these in credential stuffing attacks to gain unauthorised access to corporate systems and data.
This is made possible due to a number of factors – firstly, users are often unaware they have been the victim of a data breach and had their password stolen, and secondly, individuals tend to reuse passwords across multiple accounts due to the large number of credentials they are asked to remember. Mandating regular password change helps mitigate the risk of these attacks, as it minimises the threat from old, leaked passwords still being used for employee accounts.
A further benefit of changing passwords is to mitigate the risk of former employees retaining access to corporate data after leaving the business. The risk of unauthorised access from former staff members is significant – according to the Ponemon Institute, over half of employees take corporate data when they leave their job, with 40% stating they intended to use it in their next role. If passwords are regularly changed, particularly after staff changes, this reduces the time available for ex-employees to access sensitive data.
While the reasons for changing corporate passwords frequently are valid, the problem lies in the practicalities of implementing such a policy. Firstly, the policy is difficult to enforce. Passwords are a source of friction for most employees, and asking them to change them regularly only adds to the burden. Additionally, while IT departments may be able to enforce password change on in-house applications, it is extremely difficult at best, impossible at worst, to ensure that employees are carrying this out effectively on third-party cloud apps.
The reason employees typically exhibit insecure behaviour when dealing with passwords is that they simply have too many to remember. The average person has over 100 passwords to memorise in their work and personal life, and remembering unique, strong credentials for every account they own is simply impractical. Writing down passwords, reusing them, and keeping them short and simple are all examples of insecure behaviour employed as a result of this difficulty.
The additional requirement to change passwords regularly, therefore, makes the already problematic task of memorising credentials virtually impossible. Even if it can be successfully enforced, which is extremely difficult, it is highly likely to lead to more insecure practices elsewhere as users struggle to remember their new passwords, such as reusing one set of credentials across multiple applications, or storing passwords insecurely, for example in plain text in a spreadsheet or notes in their cloud-synced phone. Enforced password change also leads to more passwords being forgotten and frequent password resets, causing a significant business impact due to employee downtime – each reset costs organisations £40 on average, according to Forrester.
Lastly, when tasked with changing passwords, employees will often resort to minor, incremental changes, such as adding numbers and special characters to the ends of already-used passwords, or include the name of the application. These password iteration practices are well-known to cybercriminals, who check for these changes as part of brute force and credential stuffing attack strategies.
Comparing the case for and against password expiry, it is clear that the benefits of changing passwords fail to outweigh the significant drawbacks. While it is effective at protecting against some methods of attack commonly used by cybercriminals, ensuring such policies are adhered to is simply infeasible.
Because of this, mandating password change ends up making a bad situation worse, by adding to the burden of managing passwords already tasked to end-users and often resulting in insecure practices. As the UK Government’s National Cyber Security Centre (NCSC) makes clear – “Regular password changing harms rather than improves security.” Instead, the NCSC advises that “Your system's security should always rely on effective technical defences rather than depending on unachievable user behaviour”.
In response, many organisations are adopting solutions such as Single Sign-On (SSO) or enterprise password management as their technical defences, which removes the burden of managing credentials from end users altogether. Passwords are either replaced by secure tokens using protocols such as SAML, or strong credentials are generated for users and entered automatically into login forms. With either method, the end-user experience is the same – after authenticating with the corporate directory, employees will be automatically authenticated into applications upon accessing them and no longer have to know or manage credentials.
By adopting a technical solution such as SSO, the human limitations on the strength, complexity, and number of passwords are removed. Some SSO solutions can also provide IT departments with the ability to automatically detect which applications are being used by employees, allowing them to easily include these apps within the SSO solution, ensuring the password security policy is enforced on all apps where corporate data is being processed.
Instead of relying on the users with the least technical knowledge as the frontline of their defence against cyberattacks, organisations can instead tackle the problem at its source by adopting a technological solution to ensure secure authentication is enforced on all applications and the risk of credential-based attack is mitigated.
Find out more about other cybersecurity myths that are still believed today.