Mandatory Password Changes are No Longer Effective
Frequent password changes, once a staple of cybersecurity, are no longer effective. While initially designed to protect against basic threats, they often lead to weaker passwords and unnecessary disruptions.
I want to stress this out, because it’s not unusual—especially on public systems—to be asked to change your password frequently, every, say, 3 months. For years, this has been the default security measure in many organizations, governments, and websites. It’s seen as a simple, proactive way to protect sensitive data. However, as cybersecurity experts continue to evolve their understanding of risks, it’s becoming clearer that frequent password changes may no longer be as effective.
A bit of Boring History
The tradition of mandatory password changes dates back to the 1980s when computing security was still in its infancy. Early systems often relied on basic, easily hackable security measures, such as static passwords. In a time when brute-force attacks or unmonitored password leaks were more common, the idea was that regularly updating passwords would reduce the chances of a password being compromised over time. This approach worked back then because attackers didn't have access to enough computational power. Today, however, that's no longer the case.
As cyber threats evolved, so did security strategies. The idea of changing passwords every 30, 60, or 90 days became standard in many organizations, bolstered by the belief that frequent updates would minimize the damage caused by stolen credentials. Even with more sophisticated authentication technologies available, this practice persisted as a just-in-case approach.
Frequent Password Changes Aren't as Effective
Recent studies and feedback from security professionals have shown that frequent password changes often do more harm than good. Some of the reasons include:
- Weakening Password Strength: When users are forced to change passwords frequently, they tend to make weaker passwords or reuse the same ones with small variations. For example, adding a number or changing a letter might seem like a quick fix, but it doesn’t provide much additional security. In some cases, the process of constantly updating passwords can lead users to choose simpler, easier-to-remember passwords, defeating the purpose of having strong security measures in place.
- The Human Factor: Constantly changing passwords increases the likelihood of users forgetting their credentials or writing them down, which makes them more vulnerable to unauthorized access. Some users resort to using insecure password managers, or worse, sticky notes with passwords written down, which defeats any security benefits.
- Unnecessary Disruption: Frequent password changes often introduce a lot of unnecessary friction for users. This can lead to frustration and a tendency to ignore security best practices altogether, such as using multifactor authentication (MFA) or unique passwords for each service. This reliance on frequent changes creates a false sense of security, while ignoring more effective, modern solutions.
- Not Addressing Real Threats: The real threats to cybersecurity today are much more advanced. Rather than relying solely on passwords, attackers often exploit data breaches, phishing attacks, and sophisticated social engineering tactics. Regular password changes do little (can you imagine the attacker thinking like a philosopher with your password for 60 days? 😅) to prevent these types of attacks.
What Should we Focus On, Instead?
A strong password stored safely plus a second factor. Simple, yet still effective. Remember, if you store your second factor along with your password it's not really a second factor anymore.
