Users hate changing passwords. Passwords are hard to remember and you’re not supposed to write them down. That’s why it’s common to see both weak passwords — qwerty1234 and your dog’s name are a lot easier to remember than HGF45DEsre%$ — and the same passwords used on multiple different web-sites.
This is why the National Institute of Standards and Technology (NIST) recently changed its recommendations for passwords to make frequent password changes a thing of the past. And last week Microsoft followed suit by changing their baseline password expiration policy.
In explaining the change in their Password Expiration Baseline, Microsoft wrote the following; If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?
The new recommendations for users:
- Use a long passphrase for passwords—Length is more important than complexity
- Use different passwords for different sites—This way the compromise of a website only puts your password to that site at risk
- Implement multi-factor authentication (MFA)—Your password is something you know. The 2nd-factor is something you have (a number that changes every minute) or something you are (biometric)
- Change passwords only when there is suspicion of password compromise
In changing password expiration requirements, IT Departments should also implement Microsoft’s other recommendations:
- Prohibit passwords that are easily guessable
- Enforce multi-factor authentication
- Set alerts to detect password-guessing attacks
- Set alerts to detect anomalous logon attempts
- Lock an account after a few failed logon attempts
- Enforce password changes only in response to suspicion of password compromise
Implementing multifactor authentication (MFA) is critical to eliminating password expiration. With MFA, even if a cybercriminal gets a user’s password, it will be useless without the second factor. This works, of course, if the second factor is NOT something else one knows such as mother’s maiden name or the year you got your first car. These knowledge-based-authentication (KBA) strategies provide no additional security than does the password.