Customers ask us about passwords and we thought it would be helpful to put together a Frequently Asked Questions document to address some of the more common ones.
Q1. How often should we force users to rotate their passwords?
A1. It used to be that ‘security best practice’ dictated that users should be forced to rotate their passwords every 90 days. A significant body of research has shown this is actually causing more problems than it solves. The National Institute of Standards and Technology (NIST) is considered authoritative on cybersecurity topics and has the following to say about password rotation:
NIST Special Publication 800-63Bsection 220.127.116.11 on Memorized Secret Verifiers includes,“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
Further explanation of this reasoning is presented in the Frequently Asked Questions:
- Question Q-B05 asks: “Is password expiration no longer recommended?”Answer A-B05: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old, memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”
- Q2. What is the recommendation for password length / strength?A2.Password length is king, composition rules (e.g. lower case, upper case, special characters, etc.) are not as helpful as we once thought. Length should be dictated by the desired level of security as appropriate to your organization, but 15 characters is considered generally acceptable assuming other factors (non-dictionary, no sequential characters, no key words (like usernames, service names, etc.)