IT and Business Insights for SMB Solution Providers

Letting Password Expirations Expire

Some security experts says the practice of password rotation has become increasingly irrelevant and potentially counterproductive. By James E. Gaskin

ACCORDING TO ANCIENT SCROLLS of computer history, the first complaint about passwords came one minute after the first password was issued. Users hate passwords and they don't handle them well.

One reason has been the best practice of password rotations, in which users are required to change their passwords periodically (typically every 90 days). According to some security experts, however, this practice has become increasingly irrelevant and potentially counterproductive.

"The 90-day rule came based on how long it took to break passwords in the past, but that's different now,” says Cody Beers, a static analysis vulnerability engineer at WhiteHat Security.

In fact, the National Institute of Standards and Technology (NIST), which advises the federal government on cybersecurity practices, no longer suggests periodic password changes, but instead recommends doing so only if there is evidence of a breach.

Password management and security vendors like Keeper Security are buying in. "We advise customers to follow the NIST 800-63 guidelines, which state that users shouldn’t be forced to change passwords at arbitrary intervals, but only when there is evidence that their passwords have been compromised," says Michael Chester, senior director of business development.

Beers agrees. “Password changes should not be required often, and password files should be hashed and salted." (“Hashing” turns a password into a longer, more complicated string of characters. “Salting” adds extra characters to the user’s password before hashing).

He says password rotation can actually weaken security. If a company forces password expirations and doesn't allow users to reuse passwords, it means those passwords are stored in a database in plain text on a company server so new passwords can be compared quickly. In a breach, all those passwords would be grabbed, Beers explains.

So what recommendations should channel pros make to their clients around password protection? According to Beers, "The best option is for the company to compare a new user password with lists of those used by hackers in previous breaches. There are plenty of places to get lists of usernames and passwords." Crackers use those lists too. "Credential stuffing is constantly using old stolen passwords."

NIST suggests the use of long and memorable rather than short and complex passwords. All special characters should be allowed, and passwords should be at least eight characters.

Multifactor authentication can also improve security. “If multifactor authentication is active, we don't suggest changing the passwords,” says Michele Miller, president of Ener Systems, an IT services provider in Covington, La. If MFA isn’t in effect, the company recommends 90-day password changes along with the use of a password manager like SolarWinds Passportal, “so passwords are easy to manage,” says Miller.

Since expiring passwords aggravate users, the current thinking on that will be music to their ears, and may make them more inclined to embrace password managers and multifactor authentication.

Image: iStock

About the Author

James E. Gaskin's picture

JAMES E. GASKIN is a ChannelPro contributing editor and former reseller based in Dallas.

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.