Passwords have for a very long time been used to prove identity and authenticate user access to resources. As time has gone by, to increase security we have made password requirements more complex and frequently changing passwords a necessity.
However, in the pursuit of better security we have ignored the very fact that made password-based security preferable over other approaches – its simplicity.
Asking for increasingly complex passwords and then forcing the user to change them frequently undermines the fundamental principle on which password security is based. Compelling users to produce a higher volume of increasingly complex passwords often means the passwords are not as easily remembered and many users have to resort to noting down the password which can then be easily compromised.
So should we force users to change passwords?
The other day I was scanning different user forums for the answer and came across this thread on Spiceworks. IT administrators across the globe appear to be divided on this matter, while many express reservations about the effectiveness of forcing users to change passwords, there are others who are advocating it. Here I have compiled the most important responses of these admins to give you an overview of opinions:
- Password change is pushed from the outside by compliances like HIPAA, PCI etc. and it undermines security as employees are reduced to risking security by writing down passwords to remember them. Changing it once every 6 months to a year is adequate.
- Forcing them to change passwords frequently just makes them use tricks which can trip them up so updating a password should only be done when specifically required. For example, when you think the password has been stolen or if you suspect somebody has been logging in on your behalf.
- Windows’ default of 42 days before requiring a password change is way too short and should be changed to180 days. When confronted by auditors they should be told that frequent password change won’t be taken seriously by the users as they will either simplify it in their own way (Pass_word!23) or note it down somewhere.
- There are double standards in dealing with passwords. While anything personal like a bank account password is handled with extreme care, office desktop passwords are approached more casually. For example, people shout out their password to the IT guy who has come to their desk or have it written on sticky note on their screen. Changing it regularly negates the chances of unauthorized access.
- Are we innovating enough? Why can’t we have a differential policy wherein each password will be evaluated and based on its complexity users will be asked to change it more or less frequently. For example, if you are using a big complex paraphrase, you can afford to change it twice a year, but for those “Password!23” types it should be done more frequently.
Going by the responses of IT managers it appears that though forcing users to change their passwords is no guarantee of security, nevertheless, administrators still follow this practice to ensure security of Windows network as they don’t have any other choice. Bio-metric authentication like fingerprint based login may demand additional investment, but is not only more secure but also reduces help-desk calls, and so may prove economical in the long run. Till then it appears reasonable to ask users to change their password at more sensible intervals.