Many companies use a password policy that requires their users to change passwords every 60-90 days or so. But does that really protect them from hackers and bad actors? The answer might surprise you.
We’ve come a long way since computer passwords first became a thing. Back in 2003, NIST published 800-63, and with it came what would become the standard password practices of most businesses:
- 8 characters minimum
- Using a mix of uppercase, lowercase, numbers and symbols would make it stronger
- 60-90 day change frequency, based on how long they figured it would take to crack a password
These held true for over a decade, but now industry experts suggest otherwise.
So what went wrong?
…The users are all human!
Everyone followed similar behaviors. They:
- Used a single, common word as base of password
- Capitalized the first letter
- Added a number to the end
- Added ! to the end
- Substituted @ for a, ! for I
- Wrote passwords down
- They made slight modifications when changing, such as Tarheel1 => Tarheel2 => Tarheel3
- Used certain letters and numbers far more often than others, such as: e, 1
Frequent password changes made the above even more prevalent. If users had to always change, they reverted to simpler passwords and simpler changes, which made them easy to crack and easy to guess.
Predictable passwords and predictable changes made it easy for hackers. Imagine if your password was Dinosaur1, and a hacker got it.
Even if you changed your password after 60 days, the hacker has a pretty good idea what to try next – Dinosaur2, Dinosaur1!, etc.
It turns out that the NIST password policy did not produce strong passwords, as originally conceived.
We know this based on research studies on password histories, and analyses of passwords gleaned from data breaches. (see references below).
So in June 2017, NIST revised and updated Publication 800-63, suggesting longer and better passwords, and not changing passwords simply because 2 months had passed. In June 2019, Microsoft followed suit on their baseline password policy recommendations.
From Microsoft’s new policy:
If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password?
The Windows default is 42 days.
Doesn’t that seem like a ridiculously long time?
Well, it is, yet our current baseline says 60 days, and used to say 90 days,
because forcing frequent expiration introduces its own problems.If it’s not a given that passwords will be stolen, you acquire those
problems for no benefit.Further, if your users are the kind who are willing to answer surveys
in the parking lot that exchange a candy bar for their passwords,
no password expiration policy will help you.
The main takeaway is to stop forcing timed password changes. Instead, require users to make one really good, strong password. What makes a good password? We’re glad you asked…
Size Matters – Length vs Complexity
Password strength is measured in “Bits of Entropy”, which means:
How many guesses it would take to determine the characters correctly
For a single character this table show the Bits of Entropy:
| Type | Bits of Entropy |
| Numbers only | 3.32 |
| Lowercase letters | 4.70 |
| Upper and lowercase letters | 5.70 |
| All characters, including symbols | 6.57 |
Multiply those bits times the number of characters. For example:
Upper and lowercase letters = 5.70
11 characters x 5.70 = 62.70
| 11 Characters | 12 Characters | 16 Characters | 20 Characters | |
| Letters only | 62.70 | 68.41 | 91.21 | 114.01 |
| Require digits | 65.26 | 71.26 | 95.18 | 119.04 |
1 character longer, even with letters only, is stronger than letters + numbers (68.41 > 65.26).
Every increase by 1 character translates to double the strength. This is important because as technology improves and computers get faster, it becomes easier for passwords to be cracked.
In 2011, 8 character passwords could be cracked in 44 days. Now, they can be cracked in 2.5 hours. But a 14 character password would take 900,000 years.
Longer passwords = Stronger passwords
You could still add numbers and symbols, but they are less important.
What should you be doing for passwords?
- Don’t change passwords on a timer. Change only if there’s a real need, such as a data breach.
- Make a long password or passphrase – 12 or more characters.
- Use Two-Factor Authentication, such as a code to your phone or an app
References and additional resources
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
https://blogs.technet.microsoft.com/secguide/2019/05/23/security-
baseline-final-for-windows-10-v1903-and-windows-server-v1903/
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-
mandatory-password-changes
https://blog.lastpass.com/2018/08/often-change-password.html/
https://www.sans.org/security-awarenes-training/blog/time-password-
expiration-die
https://www.govtech.com/security/Widely-Used-Password-Advice-
Turns-Out-to-Be-Wrong-NIST-Says.html
Contact Us Today
Contact us today for a free consultation to see how we can help save your business thousands of dollars each year!
Get a Free Quote