Why do we keep forcing short-term password changes?

Blog Post created by kevinbeaver on Apr 27, 2016

This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here.


I'm often asked by friends and colleagues: Why do I have to change my password every 30 or 60 days? My response is always the same: Odds are good that it’s because that's the way that it's always been done. Or, these people might have a super strict IT manager who likes to show - on paper - that his or her environment is "locked down." Occasionally I will get feedback that auditors require such stringent settings. The funny thing is, there's never really a good business reason behind such short-term password changes.


In fact, if you dig in further, in many cases there are numerous other issues that are a much higher risk than passwords that are not changed often. I often see weak password requirements – i.e. complexity not being enforced or 6-character minimum lengths. I often see this combined with super weak endpoint security such as minimal Windows patching, no third-party software patching, no full disk encryption, and network monitoring/alerting that is reactive at best.

So, why is it that we go with the 30, 60, or 90-day password change requirements? I don't think it's malicious but I do believe that people just aren't taking the time to think about what they're doing. In fact that's sort of the essence of many security challenges that businesses face today. People just aren’t thinking about what they're actually doing. They're going through the motions with their “policies” and they have these fancy technologies deployed but, in reality, the implementation of everything stinks. At the end of the day, management assumes that all is well because of all of the money and effort being spent on these issues (including those pesky password changes) but, yet, they still get hit with breaches and no one can figure out why.


I think many seasoned IT and security professionals would agree with me in that quick turnarounds on password changes is actually bad for security. We always joke about how users will write down their passwords on the sticky notes – and it's true! But it goes deeper than the humor. There's a strong political factor at the root of much of the password nonsense. Users don't want to have to create and remember long passwords.


After all, odds are they’ve never been taught/guided to use passphrases that are super simple to create and remember yet impossible to crack. Furthermore, management doesn't want to hear about it so IT doesn't press the issue. Thus the ignorant cycle of if we can't make them use strong passphrases, we can at least require quick password changes. The madness continues and it’s bad for business.


Anytime you create complexity and, in this case, requiring users to continually change their passwords – whether or not they’re suspected to have been compromised – you create more problems than you solve in most cases. There are always exceptions and compensating controls such as intruder lockout, two-factor authentication, and proactive system monitoring can thwart most attacks on user accounts. It’s time to look past the nonsense and capitalize on opportunities such as this to get people on our side rather than continue ticking them off.