“Your password will expire in X days.” That pop-up or email is all-too-familiar for employees at organizations requiring login credentials with the common “90- or 45-day rule” for changing or updating passwords. It’s a security best practice designed to help keep your accounts—and your organization—secure from hackers and nosy coworkers. But does it really?
While the “90-day rule” has been around for years, and there’s wide swings in how individual companies decide to enforce it, the outcome remains the same. Employees around the world stop what they’re doing, dream up a new, hopefully strong password, and apply it as quickly as possible so they can get back to the work at hand.
Changing up that password on a regularly scheduled basis makes the network secure and thwarts evildoers, right? It can help, but it might not be the only answer for workplace cybersecurity.
While the old thought was to change that password and change it regularly, newer insights, as noted in Business Insider , indicate a shift. Notably:
- There is not magic number to indicate frequency of password updates
- The publication also points out that most security experts believe that if your password is strong and unique, there’s no compelling reason to change it on the regular, unless you believe your password’s been compromise.
- While some experts still recommend giving those passwords a refresh a few times a year.
Clear as mud, right? Here’s what the trusted National Institute of Standards and Technology (NIST) has to say on the topic of user password management:
- Remove periodic password change requirements: Multiple studies that have shown all those frequent password changes can actually be counterproductive to good password security.
- Drop the complex algorithmic password requirements: That mix of upper and lowercase letters, symbols and numbers can get annoying to users and over time, result in worse passwords.
- Require new passwords be screened of new passwords against lists of commonly used or compromised passwords: Act against known threats and risks for better passwords for users.
Learn more: What is World Password Day?
Surprising Password Security Statistics
No matter which camp you or your organization fall in, it’s critical to use almost-impossible-to-crack passwords and enable multi-factor authentication, especially for accounts you have with financial institutions, medical institutions, and email providers. Many thought leaders recommend using a password manager, like LastPass or 1Password, that allows you to create original passwords for your accounts without having to actually remember them all “hiding” that sticky note under your keyboard (yeah, we don’t really recommend that!)
According to the 2020 Psychology of Passwords survey report by LastPass, results found that:
- 92 percent know that using the same variation of the same password is a risk, but 50 percent of us do it regardless.
- 58 percent haven’t changed their password in 12 months – even after hearing news of a breach.
- 40 percent think their accounts aren’t valuable enough for a hacker to waste time on them.
- 42 percent say that having a password that’s easy to remember is more important than one that is very secure.
- Only 29 percent reset their passwords once a month or more because they forget them.
- Only 54 percent use multi-factor authentication (MFA) for personal accounts; 37 percent use it at work.
Learn more: 6 Users to Put on Your Security Watch List
There are, of course, arguments on both sides of the change ‘em up or don’t fix what isn’t broken debate. Here’s what we found:
Frequent Password Changes: What the “No” Camp Says
On one side is the “No” camp, the organizations and thought leaders that believe mandatory password rotation policies are outdated. The 90-day naysayers say requiring frequent changes causes users to create weak passwords—or simply slightly modify their current one.
In fact, Microsoft altered its own policies back in 2019 to be in line with NIST recommendations, stating that there are better ways to protect systems and networks than requiring users to dream up new passwords every few months or even weeks.
The logic here is that too often, when prompted to create a new password, many users create one very similar to the last used password, just with different punctuation, numbers or symbols, therefore, creating predictable password patterns. And logic also points out that if someone were to get your password, they certainly are not sitting on it for 90 days.
GoAnywhere MFT’s Think Like a Hacker and Secure Your Data eBook covers credential reuse, noting if one breach is successful and login information is hacked, attackers can follow up with other sites you might be on, or even sell the passwords on the dark web, so multiple individuals could have your email address, user name and password details.
The guide recommends:
- Don’t use the same passwords across sites or applications
- Keep informed of what sites or companies have been breached
- Leverage a password compromise website like haveibeenpwned to see if a website using your email has been hacked
If a hacker has access to your password, changing it to something different is unlikely to be effective. Chances are, someone’s already peeked into your account and/or installed a keylogger to grab future credentials. The fix isn’t to simply update your password; the fix is to create a unique password for each account, then tighten your security through measures like encryption and multi-factor authentification.
Frequent Password Changes: What the “Yes” Camp Says
On the other side of the ring, we have the “yes” camp, the organizations and thought leaders that talk about how important the “90-day rule” is for IT security. The main theory for the 90-day hype? If you change your password every three months, a hacker that has access to an old password (say through a data breach) won’t be able to use it forever and won’t be able to use it across your accounts.
The “Yes” camp says, if you change your passwords frequently and use strong/unique passwords that aren’t similar to your previous ones, your data is likely safe. But if you rarely change your password, have an account with an organization affected by a leak, or use the same password across multiple accounts? Well, you may be out of luck.
Your Next Cybersecurity Steps
In addition to rethinking your password strategy, consider the entire movement of data within and outside your organization. Managed file transfer solutions, like GoAnywhere MFT, offer secure, encrypted file transfer as an additional layer of security for critical data.
Related Reading: How MFT Fits into Your Data Security Suite
Want to see how GoAnywhere fits into your organization’s overall security environment, enjoy a 30-day free trial. Or schedule a 15-, 30-, or 60-minute demonstration of the security features you can get with GoAnywhere in place.