You power on your computer and open your inbox, ready for another day at work. But instead of some unread emails, you see a login screen with an all-too-familiar message: it’s time to update your password. And it can’t just be any password. It needs to be one you haven’t used before, and it must include a number… and a special character… and be 8 characters long…
Sound familiar? Many companies require their employees to change their password every 90 days. It’s an inconvenient policy which leads people to ask: Is it really necessary?
The short answer is no. Frequent password changes may have been a good idea in years gone by, but they’re not necessary today. Read on to learn why.
The thinking behind mandatory password changes
The idea behind forced password expiration is simple. If your credentials are always changing, it’s harder for an attacker to know what they are at any given time. For example, a cybercriminal might stumble upon a list of leaked passwords. But if the leak is three months old, and you rotate your password every 90 days, the information will be out of date. The attacker can’t use those credentials to get into your account.
Periodic password changes also protect you against brute-force attacks – an approach that relies on trial and error. This includes dictionary attacks, which prioritize words, phrases, and character combinations that appear most often in passwords, like “qwerty” and “1234567”.
If your credentials stay the same, a cybercriminal might be able to crack them provided they have enough computing power, time, and patience. But if they change every 90 days, the process becomes more difficult.
Okay, but why 90 days?
Some companies choose 30 days as their password expiration policy. Others pick 90 or 180 days. But 90 days is the most common, and it’s fair to ask ‘why?’ To answer this question, we need to talk about password hashing.
Today, it’s recommended that companies store passwords as hashes. That means your true password is scrambled using a secret process called a cryptographic hash function (CHF). When you enter your password, the company runs it through the CHF and confirms the result matches the hashed password stored in their database.
Hashing makes it trickier to perform a brute-force attack. First, the hacker needs time to figure out the hashing algorithm that’s being used. Then they have to test possible passwords by running them through the algorithm and comparing the result to the hashed password accepted by the platform. The process becomes even more complicated if the company adds a random string of characters to each password before hashing them – a technique called salting.
There’s no definitive answer for how long a brute-force attack will take. It depends on a number of factors, including the strength of the password and the computational power available to the cybercriminal. But for a long time, security specialists felt that 90 days was short enough to “beat” any hacker trying to brute-force a hashed password – without being too inconvenient for the account owner, who is ultimately responsible for updating the password.
Why it’s no longer required
Mandatory password updates are always inconvenient. After all, nobody likes to be interrupted when they’re trying to get to the bottom of their to-do list. When prompted to change a password, people rarely choose one that’s strong and unique. Instead, they opt for something more memorable by either:
- Picking a new password that’s obvious, like “password123”, or
- Choosing a password that’s only slightly different to what they had before
Common passwords are easy to memorize but also simple for a hacker to guess. As the National Institute of Standards and Technology (NIST) explains, making minor changes to an old password isn’t helpful either:
“This practice provides a false sense of security if any of the previous (passwords) have been compromised, since attackers can apply these same common transformations.”
Yes, the account owner has updated their password, but they’ve changed it to something that isn’t particularly secure. It’s like changing the lock on your front door, but replacing it with something that any thief could lock-pick in five minutes.
The cost of resetting passwords
Here’s another problem: if you don’t have a password manager, it’s easy to lose track of your constantly-updating passwords. Many people start asking themselves: Does this service use the password I came up with a month ago? Or the one before? Or the one before that?
Some people write their passwords down to solve this problem. Or they make some incorrect guesses and ultimately have to ask their IT department for a password reset.
According to Gartner Group, between 20% and 50% of all IT help desk calls are for password resets. That’s a lot of time that could be better spent on other projects. And as the age-old saying goes, time is money. Forrester Research estimates that the labor cost of a single password reset is $70. Now multiply that figure by the number of people who are likely to forget their password if they’re forced to pick a new one every 90 days. Yeah, it’s an expensive issue.
There’s one more problem with password resets: once they’ve regained access, the account owner has to come up with another new password, which restarts the cycle and only makes it harder for them to remember which account is protected by which password.
What you should do instead
The best way to protect yourself is with strong, unique passwords. These are difficult for cybercriminals to crack, and therefore don’t need to be updated every 90 days.
You only need to update them if they show up in a leak, or if you discover that the company, platform, or service guarding them has been compromised. Visit Have I Been Pwned to quickly discover if any of your credentials need changing. If you’re using 1Password, Watchtower will check on your behalf and notify you whenever there’s a problem.
Don’t use common passwords. That includes “123456”, “qwerty”, and “password”. Don’t use common modifiers, either, like adding your date of birth to the end of an already-obvious password.
Make your passwords fairly long. The longer the password, the harder it is for a cybercriminal to guess or crack with a brute-force attack.
Don’t worry too much about numbers and symbols. Special characters add to a password’s complexity, but they’re not essential. You can achieve a similar or greater level of complexity by extending the length of the password instead.
Use passphrases. These are created by combining a handful of real but unrelated words, like “ball-orange-moon-car.” As long as each word is random, the complete phrase will be difficult for an attacker to crack but easier for you to remember than a typical password that’s strong and complex.
Our free password generator can help you create passwords that meet all of these criteria. If you want to add another level of security you could also use a unique, randomly generated username for each account.
But how do you remember all of this information? That’s where 1Password comes in. Our app not only generates strong passwords as you need them, but also remembers and auto-fills them on your behalf. It can even serve as an authenticator for sites with two-factor authentication (2FA), adding an extra layer of security to your accounts.
The waiting game
It might be awhile before every company drops their password expiration policy. If yours hasn’t yet - don’t worry. With a password manager like 1Password, you can quickly create strong and unique passwords every time you’re prompted to update an old one. You also have a secure place to store them and a full password history in case you ever need to check what you’ve chosen before.
No stress. No slowing down. And you’ll never have to ask your IT department to reset one of your passwords again. Bliss. 1Password is the easiest way to comply with the ‘90-day’ rule while you wait for your employer to realize the truth: mandatory password changes are no longer necessary, and should be replaced with a policy that simply demands strong, unique passwords.