Phone Number +1-202-802-9399 (US)

ThycoticCentrify is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Back to the Basics: The problem with forcing regular password expiry

Written by Joseph Carson

August 21st, 2018

For many people and organizations around the world a single password is sometimes the only security control protecting their sensitive information, access to email and even their bank account.

The traditional password best practice was to create a long, complex password that only you would know, and it protected one or two accounts; you likely used it to sign into Active Directory or email accounts.  Within an organization you would typically have been forced to select a password with composition rules, and the complexity was usually something like: create a password different from your last 1000 passwords, include 10 numbers, 4 upper case letters, 5 lower case letters, 3 symbols, a star name, etc.  Most people created a personal password that they never changed until forced to, and when challenged with composition rules they simply reused the existing password and added one special character and done.

Today, even a strong, complex password is useless if it’s used for multiple accounts

This was fine and it worked 20 years ago, but today the average person has more than 30 online accounts, all of them requiring usernames and passwords. This is a significant increase in passwords and many people are experiencing cyber fatigue from having to remember more than five passwords. Bad habits quickly set in as we start reusing passwords for multiple accounts.  This means that even a strong, complex password is essentially useless; once one company gets breached and cyber criminals compromise your well-chosen password they can now easily access all of your accounts.

This problem was repeated within organizations as typically they forced their employees to change passwords every 30 to 90 days, and new passwords could not be the same as the previous five passwords. Along with the composition rules and long password requirements employees tended to follow up with more bad habits: they wrote the password down in an unsafe location like an excel file or a piece of paper or they reused an old password. And even if they created new passwords they were likely only one character different.

These password best practices lead to poor cyber hygiene and increasing cyber fatigue

These password best practices lead to poor cyber hygiene and increasing cyber fatigue. This resulted in a major update in 2017 that was welcomed by the cyber security industry.

But there is an area of contentious debate around rotating passwords and at what age they should be rotated. I always recommend that you should first categorize passwords into different classes: passwords that humans use and interact with and passwords that are used by computers, services, applications and systems.

In addition to whether the password is classed as human or system, I apply another classification based on what the password is protecting and how sensitive the information is. I then determine the type of security that needs to be in place: is a password enough or is 2fA, MfA or even workflow access controls required?  This helps ensure you meet compliance controls and have adequate security measures in place.

Rotate System or Service Accounts passwords as often as you can

The System or Service Accounts password is typically used by an application to access other resources within the same network, and these passwords are not used to log on to systems but rather to run web servers, access reports and databases.  As these passwords are not being used by humans they can be a complex, long and rotated as often as you possibly can.  A privileged access management solution helps rotate those passwords on an automated schedule and ensures they are updated and consistent with your security requirements.

Try keep the number of passwords used by people to a maximum of five

Then we have human passwords. Yes, those are the ones created by humans and used to log on to applications, systems or services interactively.  We should try to keep the number of passwords used by people to a maximum of five interactive passwords to reduce the possibility of cyber fatigue. This is where single sign-on can help, along with a Password Manager.

Now for the big question: if you have a long, strong, complex password, when is it a good time to force password rotation? As I mentioned earlier, there is strong debate within the security industry. Some say not until a password has been breached while others recommend rotating every six months.

In my opinion it really comes down to what the password is protecting and my classification of accounts.  If the account contains sensitive information, then you want to use MfA and rotate the password somewhere between six and twelve months.  For less sensitive accounts you can go longer if  2fA is being used.  The idea of never forcing password rotation depends on how proactive you want to be with security. In my experience it is better to be unpredictable. This means rather than waiting to find out are a victim of a cyber-crime you want to find out as early as possible, and yes, changing your password on occasion can serve as an alarm to unauthorized access.

So, when it comes to password rotation my recommendations are to use a Privileged Access Security solution to discover and rotate systems passwords frequently. Put higher security controls in place, and for human interactive passwords (depending on your classification system) ensure the security controls and password age meet your business needs.

Browser-stored passwords make it easy for hackers to get inside your network.

Pinpoint risky stored passwords in minutes

Our free Browser-Stored Password Discovery Tool finds those sneaky passwords


Like this post?

Get our top blog posts delivered to your inbox once a month.