password, password changes, frequency, IT, IT security, security

Did you know that frequent password changes actually weaken security?

When companies force their employees to change passwords several times a year, it is likely to cause them stress and cognitive overload. To lighten the burden, employees tend to create passwords that follow predictable patterns, change a letter to a similar-looking symbol, add or delete a special character, or switch the order of digits or special characters.

Employees that have to memorize several different passwords also tend to handle this by leaving sessions logged in, writing down passwords and sharing them with coworkers.

In order for security measures to work, employees must be able to the use them efficiently and effectively. In short, security depends on usability.

To increase usability, companies may provide a single/common sign on to minimize the number of passwords to remember. Companies could also consider allowing employees to “write down” passwords in a secure manner, for example using a good password manager.

Password managers also allow employees to manage unique passwords for different services that do not belong to the same security domain. This practice will minimize the chance of a compromise, and it is definitely something that companies should encourage.

So what is the optimal password change frequency?

Some argue that password changes is really only required if a password may have been compromised. Knowing if your account has been compromised can be challenging. Therefore, some password change routine should be implemented.

Based on experience, password quality tends to drop when users are forced to change their credentials multiple times a year.

As a general guideline, Encripto recommends changing user passwords once a year as a minimum. Twice a year would be a more balanced approach that keeps both usability and security in mind. In addition, companies may define different password policies, depending on the importance of the asset protected by the credentials and/or the target user population.