For more than a decade, networking and security experts have recommended that people with access to online accounts use long and complicated passwords that make hacking difficult. In light of those recommendations, government organisations and businesses the world over have built into their password protection systems a requirement for users to change their passwords on a regular basis. Now there are questions from government security experts about whether forced password changes are a wise idea.
A recent publication released by the government's CESG group suggests that forced password expiration is outdated and counterproductive to security. The group is recommending against forcing account holders to change their passwords regularly, offering the following reasons for the new guidance:
· New Password Selection
– With the average consumer now having access to dozens of online accounts all requiring separate passwords, CESG experts say that forcing users to select new passwords too often will likely result in many choosing less complicated passwords so they do not forget them. Less complicated usually means more vulnerable.
· Easy to Hack
– Experts say that users are more likely to choose passwords similar to the ones they are replacing when forced by expiration to do so. They say that, in effect, this makes the new passwords no more secure than the old ones. If a hacker gets hold of an old password, it is relatively easy to figure out the new one.
· Little Security Value
– CESG also claims that there is little security value in changing passwords as long as users are making their original choices lengthy and with a random combination of letters, numbers and symbols. For the amount of benefit that exists, it is simply not worth forcing users to change passwords and hoping that those passwords will be remembered.
· Help Desk Support
– Lastly, forgetting passwords is one of the more common reasons for contacting help desk support. Help desk professionals have to spend time resetting passwords, knowing that those same users will be contacting them 30 days down the road for another reset. This is simply not a wise use of resources given the little benefit that forced password changes offer.
In the modern world of networking and security, CESG says there are other ways to accomplish what password expiry used to
accomplish a decade ago. The group offers the example of using system monitoring tools that present users with past login information every time they access one of their accounts. This information may help a user when it comes to the possibility of a hacker previously trying to access the account.
CESG says it is time for us to rethink our password protocols. Is password management better left to the preferences of individual users, with administrators finding other ways to keep accounts secure, or do we need to stick with the way we have been doing things for so long? It will be interesting to see how security experts and system administrators respond to the new guidance.
Source: CESG – https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry