Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News

March 18, 2020 |

Letting Password Expirations Expire

Some security experts says the practice of password rotation has become increasingly irrelevant and potentially counterproductive.

ACCORDING TO ANCIENT SCROLLS of computer history, the first complaint about passwords came one minute after the first password was issued. Users hate passwords and they don’t handle them well.

One reason has been the best practice of password rotations, in which users are required to change their passwords periodically (typically every 90 days). According to some security experts, however, this practice has become increasingly irrelevant and potentially counterproductive.

“The 90-day rule came based on how long it took to break passwords in the past, but that’s different now,”” says Cody Beers, a static analysis vulnerability engineer at WhiteHat Security.

In fact, the National Institute of Standards and Technology (NIST), which advises the federal government on cybersecurity practices, no longer suggests periodic password changes, but instead recommends doing so only if there is evidence of a breach.

Password management and security vendors like Keeper Security are buying in. “We advise customers to follow the NIST 800-63 guidelines, which state that users shouldn’t be forced to change passwords at arbitrary intervals, but only when there is evidence that their passwords have been compromised,” says Michael Chester, senior director of business development.

Beers agrees. “”Password changes should not be required often, and password files should be hashed and salted.” (“”Hashing”” turns a password into a longer, more complicated string of characters. “”Salting”” adds extra characters to the user’s password before hashing).

He says password rotation can actually weaken security. If a company forces password expirations and doesn’t allow users to reuse passwords, it means those passwords are stored in a database in plain text on a company server so new passwords can be compared quickly. In a breach, all those passwords would be grabbed, Beers explains.

So what recommendations should channel pros make to their clients around password protection? According to Beers, “The best option is for the company to compare a new user password with lists of those used by hackers in previous breaches. There are plenty of places to get lists of usernames and passwords.” Crackers use those lists too. “Credential stuffing is constantly using old stolen passwords.”

NIST suggests the use of long and memorable rather than short and complex passwords. All special characters should be allowed, and passwords should be at least eight characters.

Multifactor authentication can also improve security. “”If multifactor authentication is active, we don’t suggest changing the passwords,”” says Michele Miller, president of Ener Systems, an IT services provider in Covington, La. If MFA isn’t in effect, the company recommends 90-day password changes along with the use of a password manager like SolarWinds Passportal, “”so passwords are easy to manage,”” says Miller.

Since expiring passwords aggravate users, the current thinking on that will be music to their ears, and may make them more inclined to embrace password managers and multifactor authentication.

Image: iStock


Editor’s Choice

MSP360 Bolsters Managed Backup Solution With Full Sharepoint Backup and Restore, Object Lock, and More

March 25, 2024 |

MSP360 CEO Brian Helwig details the latest improvements in its managed backup solutions and teases some new opportunities down the road for its partners in an exclusive ChannelPro interview.

Peer to Peer: Aurora’s Philip de Souza shares his secrets to creating a successful MSSP

March 19, 2024 | Philip de Souza

“It’s important that we understand when it comes to this whole MSP world that it’s all about the customer.”

Evolving State AI Regulations: Best Practices for Mitigating Risk

March 14, 2024 | Anurag Lal

While AI technologies can unlock tremendous business value, they also have potential risks.


Related News

Growing the MSP

Explore ChannelPro

Events

Reach Our Audience