Is Periodic Password Change a Good Security Practice?
Cyber security experts have almost universally agreed that periodic password changes are likely to do more harm than good. This is largely the result of research that shows passwords are most prone to cracking when they’re easy for end users to remember, such as when they use a name or phrase from a favorite movie or book. Over the past decade, hackers have mined real-world password breaches to assemble dictionaries of millions of words. Even when users attempt to make their passwords more complex by adding symbols to the words, or by substituting 0’s for the o’s or 1’s for l’s—hackers can use programming rules that modify the dictionary entries. As a result, those measures provide little protection against modern cracking techniques.
The same researchers have warned that mandating password changes every 30, 60, or 90 days—or any other period—can be harmful for a host of reasons. Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.
Despite the growing consensus among researchers, Microsoft and most other large organizations have been unwilling to speak out against periodic password changes. But, in a largely overlooked post published late last month, Microsoft said it was removing periodic password changes from the security baseline settings it recommends for customers and auditors. After decades of Microsoft recommending passwords be changed regularly, Microsoft employee Aaron Margosis said the requirement is an “ancient and obsolete mitigation of very low value.”
The main characteristics of a good password:
1- At least 11 characters long
2- Randomly generated
3- Made up of upper- and lower-case letters, symbols (such as a %, *, or >), and numbers.