Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3


March 18, 2020 |

Letting Password Expirations Expire

Some security experts says the practice of password rotation has become increasingly irrelevant and potentially counterproductive.

ACCORDING TO ANCIENT SCROLLS of computer history, the first complaint about passwords came one minute after the first password was issued. Users hate passwords and they don’t handle them well.

One reason has been the best practice of password rotations, in which users are required to change their passwords periodically (typically every 90 days). According to some security experts, however, this practice has become increasingly irrelevant and potentially counterproductive.

“The 90-day rule came based on how long it took to break passwords in the past, but that’s different now,”” says Cody Beers, a static analysis vulnerability engineer at WhiteHat Security.

In fact, the National Institute of Standards and Technology (NIST), which advises the federal government on cybersecurity practices, no longer suggests periodic password changes, but instead recommends doing so only if there is evidence of a breach.

Password management and security vendors like Keeper Security are buying in. “We advise customers to follow the NIST 800-63 guidelines, which state that users shouldn’t be forced to change passwords at arbitrary intervals, but only when there is evidence that their passwords have been compromised,” says Michael Chester, senior director of business development.

Beers agrees. “”Password changes should not be required often, and password files should be hashed and salted.” (“”Hashing”” turns a password into a longer, more complicated string of characters. “”Salting”” adds extra characters to the user’s password before hashing).

He says password rotation can actually weaken security. If a company forces password expirations and doesn’t allow users to reuse passwords, it means those passwords are stored in a database in plain text on a company server so new passwords can be compared quickly. In a breach, all those passwords would be grabbed, Beers explains.

So what recommendations should channel pros make to their clients around password protection? According to Beers, “The best option is for the company to compare a new user password with lists of those used by hackers in previous breaches. There are plenty of places to get lists of usernames and passwords.” Crackers use those lists too. “Credential stuffing is constantly using old stolen passwords.”

NIST suggests the use of long and memorable rather than short and complex passwords. All special characters should be allowed, and passwords should be at least eight characters.

Multifactor authentication can also improve security. “”If multifactor authentication is active, we don’t suggest changing the passwords,”” says Michele Miller, president of Ener Systems, an IT services provider in Covington, La. If MFA isn’t in effect, the company recommends 90-day password changes along with the use of a password manager like SolarWinds Passportal, “”so passwords are easy to manage,”” says Miller.

Since expiring passwords aggravate users, the current thinking on that will be music to their ears, and may make them more inclined to embrace password managers and multifactor authentication.

Image: iStock

Editor’s Choice

EXCLUSIVE INTERVIEW: Dell’s New Chief Partner Officer Denise Millard Gets Candid on AI

February 23, 2024 |

Dell’s new chief partner officer believes that 2024 is the year that artificial intelligence becomes “real” for businesses and consumers alike.

How to Bridge the Digital Transformation Gap: An Interview with Ciaran Chu of ConnectWise

February 16, 2024 |

Here’s some advice on how MSPs can best get clients “unstuck” from their digital transformation journey.

Jabra Unveils Jabra+ for Admins, but There’s a Lot More Coming for Partners

February 16, 2024 |

Jabra takes first step in it’s journey towards full device management, but it’s only the beginning.

Related News

Growing the MSP

Explore ChannelPro

Reach Our Audience