Saying goodbye to password expiration

There are two reasons: (1) it is because it's the only way to invalidate old passwords should they be floating around on the internet and (2) most security audits require some kind of password change policy (probably because of reason #1). So, you cannot get around it, even if you wanted it.

However, does it really improve the security or is it just a feeling? The first time I came in contact with enforced password changes, I wasn't convinced of its usefulness. I was convinced it did more harm than good. I discussed my view on this with my colleagues many times. Unfortunately, at that time I couldn't find any researches or statements from prominent professionals or institution to back up my opinion.

Changing passwords regularly only makes you feel more secure

But that changed quickly as more and more institutions turned against the use of password expiration policies, such as NIST and Microsoft. I shared every article, blog and paper I could find on this matter. A research on user behavior under password expiration policies from the Carnegie Mellon University and the University of California came to the conclusion that password expiration may have limited security benefits and could even cause harm. But, how could password expiration cause harm? When forced to password expiration, users might pick easy-to-guess passwords or reuse passwords from other accounts. It simply encourages bad passwords.

Last year, the SANS Institute, a cooperative research and education organization that specializes in cybersecurity, wrote a great article on why it is time for password expiration to die. Password expiration is no longer relevant as it is based on an outdated threat model. Back in the days, it was estimated that cracking an average password hash would take approximately 90 days. In other words, if an attacker could crack the average password in 90 days, then the users should change their password every 90 days to avoid breaches.

Passwords should only be changed if there is a reason to believe that it's compromised

Nowadays, the average password is cracked in seconds. The '90 days' requirement won't help you. The hackers will be long gone before the users, whose account is compromised, get around changing their password. Changing passwords regularly only makes you feel more secure. In contrast, detecting breaches and the use of compromised passwords is far more effective that just rotating passwords every 90 days.

Passwords should only be changed if there is a reason to believe that it's compromised. And the only way to do this is through adequate logging and monitoring. There goes reason #1. Don't change perfectly fine passwords because you have no view on what's happening inside and outside your organization.

Times are changing and eventually password expiration will be something from the past. It is not going fast enough though. The primary reason being that institutions and security standards (such as CIS and PCI-DSS) still promote the use of password expiration, because it is always been done this way. Therefore, many organization still use password expiration policies for compliance reasons.

Best practices on building effective password policies

It's time to change this. It is time to re-evaluate your password policy. Password policies should require a risk-based approach as there are more effective measure to protect access to data instead of password expiration. Here are a few best practices on building strong and effective password policies:

1. Use easy-to-remember long passphrase, such as 'working-hard-in-the-cloud-to-help-clients'. The CIS benchmark for Amazon Web Services dictates a minimum length of 14 characters (with password complexity rules). If you're not a fan of password complexity rules, I suggest having a minimum length of 20 characters (passphrases).
2. Use MFA whenever possible, especially in cloud environments MFA is essential.
3. Promote the use of a password managers and integrate it with your systems as much as possible.
4. Restrict commonly used passwords such as 'Welcome2019!' or 'p@ssw0rd'.
5. Restrict the use of passwords that have been leaked in previous breaches, for example through the 'Have I Been Pwned' API.
6. Only change passwords when there is a reason to believe that is has been compromised. Therefore, have effective logging and monitoring in place to detect anomalies within your network and applications.
7. Monitor illegal marketplaces or the dark web for new password breaches.