August 18, 2016
Frequent Password Changes May Compromise Security
By now, it’s a familiar story. Conventional wisdom holds that you want to use a different password on every site or service you log into and that you want to change your passwords regularly, in order to maximize security. What if conventional wisdom isn’t true though? There’s a growing body of evidence that it isn’t.
Sometimes there can be too much of a good thing. True, you definitely want to break the habit of using the same password across multiple accounts, but where changing your password is concerned, changing it too often can actually work against you.
A growing number of surveys indicate that there’s a direct correlation between password strength and the frequency with which the password must be changed. There’s a lot to this, but in summary, it looks like this:
If you’re requiring your employees to change their passwords on multiple systems every 30 or 60 days, those employees aren’t going to invest a lot of time and effort into coming up with truly secure passwords. The reason? It’s annoying, and they feel as though every time they turn around, they’re having to come up with one (or more) new passwords.
The frequency leads to frustration, and the frustration leads to lax passwords that are easily guessed at or brute forced. Anything over the 60-day mark seems to have positive benefits to overall digital security, and anything under has a negative impact.
With this information in mind, now is an excellent time to review all the password protected systems you have in place at your company, and come to an understanding of how frequently the users of those systems are having to change their passwords. Simply making an adjustment to the reset frequency could see you with a net gain in overall security, with no additional investment required. That’s win-win.