passwords are a necessary part of many online activities, but they’re no longer required after the introduction of the new, more secure password management system called OneSignal. Mandatory password expirations have been around for years, but they’ve never made much sense. Why? Because passwords are easy to guess and because they can be easily guessed by someone who is not familiar with the security features of OneSignal. The new system uses two-factor authentication, which is a more secure way to protect your online identity than using passwords. Two-factor authentication requires you to provide two pieces of information - your username and your password - in order to access the site or account you’re using. If someone has access to your username and password, they can easily guess them both and access your account without having to enter any other information. This is why mandatory password expirations don’t make much sense anymore - they’re no longer necessary after OneSignal has replaced them with a more secure system that uses two-factor authentication.
What Does Password Expiration Solve?
First, it’s important to understand why enforced password expirations became popular. Most organizations require a password change every 30 or 90 days. This dates from the historical background of simpler password hashes which could be cracked relatively quickly. Back when an attacker could crack a password in a couple of months, security practitioners suggested that changes within that timeframe would help to keep users safe.
Today’s threat model looks rather different. Passwords encrypted with modern hashing mechanisms could take billions of years to successfully crack.
Nowadays criminals collect passwords in ways that focus on you, the user, instead of the service that stores them. Phishing and social engineering attacks are the greatest risks, as well as coordinated dictionary attacks using lists of known passwords. These lists are sourced from previous data breaches.
The changes in the threat landscape mean password expirations no longer solve the problem they were intended for. Compromises happen in seconds. By the time you change your password, the attackers are probably long gone.
The Issues With Password Expirations
Enforced password changes are a common frustration among users. They may be inclined to choose a succession of short passwords that are easily memorized. Some users will note each password down, potentially exposing it to compromise – whether in a text file, or as a desktop post-it note.
Research at the University of North Carolina found an attacker with access to previous passwords could determine the user’s current password in under 3 seconds in 41% of cases. This provides strong evidence that many users make only trivial changes to their passwords at the mandated interval.
Password expirations are meant to place a time limit on an attacker’s access to a compromised system. In today’s changed landscape, an intruder may already have persistent access by the time they steal the password list. Installing a key logger or other similar malware immediately sidesteps all the benefits of password expiration.
Finally, real-world pen-testers have stated they’re not encumbered by a password expiration policy. Policies are often defending against threats they cannot hope to contain. These days, regular password changes should be seen as an effort to encourage users to maintain security. In practice, it’s poorly suited to this too, as it presents an inconvenience which users will try to avoid.
RELATED: How to Protect Against Password Dictionary Attacks
The Tide’s Turning Against Changing Your Password
These factors combined have led several prominent organizations to turn against password change policies in recent years. From the UK’s National Cyber Security Centre (NCSC) to Microsoft’s official Windows security baseline, the once ubiquitous practice has rapidly dropped out of favor.
In a blog post in 2016, the NCSC explained that expirations present a “usability cost” to users that outweighs already questionable security benefits:
The impact of password fatigue is more likely to weaken an organization’s overall security posture, as users will choose less secure passwords and drop their guard against ongoing threats. Attackers won’t be perturbed by a password expiration policy – information gets stolen in an instant, usually long before a scheduled password change could mitigate the impact.
What To Use Instead?
System administrators still have several tools to protect their organizations. Of the options available, education can be one of the strongest long-term approaches. Explain to users the risks of low security passwords to encourage them to make safer choices.
You should also adopt a multi-factored authentication approach. Adding an authentication app to the equation prevents attackers from using passwords, even if they successfully steal them. This wasn’t possible back when password expiration policies first started to be adopted.
If you still insist on regular password changes, or your industry has legislation that requires it, find ways to help your users. Providing approved password management software will let users generate and store secure passwords, without resorting to simple phrases scrawled on note paper.
Dropping password expirations doesn’t mean abandoning all password control mechanisms. You can still enforce a minimum length and complexity to guide users towards strong choices. In addition, you should retain the ability to invalidate passwords so you can quickly lock down your systems in the event of a breach.
RELATED: Don’t Leave Passwords in Your Code; Use AWS’s Secrets Manager Instead
Conclusion: Time to Stop Expiring Passwords
Password expirations used to be reasonably effective at stopping the cyberattacks of yesterday’s web. Now they’re more trouble than they’re worth. Continuing to enforce regular password changes will frustrate users, cause more IT help desk queries and deliver negligible – or negative – effects on your security posture.
Expiration policies were helpful when the web was a smaller and slower place. The internet and its threats have evolved immensely over the past couple of decades. It’s now more common for users to tell an attacker their password, in a phishing email or on a scam call, than a password to be actually “stolen” by an intruder.
For systems where persistent access is a risk, acquiring a privileged user’s password once usually gives an attacker the capability to install a backdoor or set up their own user account. With so many factors stacking against password expiration as a security mitigation, it’s now more important to focus on basic password hygiene and the bigger picture of cyber defenses.
Dropping your password expiration policy should please users and contribute to your security standing. Weigh the security benefits of your password practices against the usability cost of making users relearn their credentials every few months. Many compliance regulations such as PCI-DSS and HIPAA still require regular password changes but in non-regulated industries, you should now think twice before using mandated expirations.
