In enterprises around the globe, it’s becoming increasingly clear that implementing mandatory password changes is no longer considered best practice for securing key systems and data.
Of course, we’ve long known that passwords are a weak link in the security chain. Eighty percent of hacking-related breaches in 2017 leveraged either stolen passwords and/or weak or guessable passwords, according to the latest Verizon Data Breach Investigations Report.
Knowing that passwords are a significant vulnerability, most enterprises have adopted strong password requirements in an attempt to improve their organization's security position—for example, requiring a minimum of 8 characters that are a mix of letters, numbers, special characters, and mixed upper and lower case. Security expert Bruce Schneier offers this advice for choosing a secure password.
Another common policy requirement is forcing mandatory password changes. After all, requiring password changes every 60 or 90 days is a sure-fire way to keep the bad guys guessing, right?
In reality, research clearly shows that mandatory password changes actually make an organization less secure and are most likely responsible for driving up help desk costs.
The Problem with Mandatory Password Changes
Recent studies by researchers at the University of North Carolina at Chapel Hill and Carleton University have shown that mandatory password changes are often ineffective. That’s because users forced to frequently change their passwords tend to choose weaker passwords that are easier to remember, while avoiding long, hard-to-guess passwords. Most users simply “transform” their passwords in very predictable ways—for example, Cowboysfan#1 becomes cOwboy$sfan#21, then coWboysf@an#E1, and so on. This makes these passwords easy targets for social engineering efforts.
As we use more online services, we are challenged to remember more passwords than ever—an average of 27 passwords per person. Frequent mandatory changes just add to the difficulty, pushing users to juggle even more passwords and driving many to take shortcuts just to check it off the list. The result? Frequent mandatory password changes often actually make passwords easier to break.
This startling fact is highlighted by the UNC study, which examined the security level of more than 7,700 former student, faculty, and staff member accounts that were subject to mandatory password changes every three months. The study found that 41 percent of the passwords could be broken offline in a matter of seconds by referencing previous passwords for the same accounts. Seventeen percent of the accounts could be broken with just five online password guesses.
To add to the problem, mandatory password changes also lead to more password-related calls to the help desk, which drives up support costs and wastes limited IT resources. Meanwhile, the amount of computing power available for password cracking continues to increase, so frequent password changes only slightly hamper attacks. This insignificant impact is arguably not worth the inconvenience and annoyance experienced by users who are prompted to change their passwords every few months.
Of course, the fact that there are inherent problems with mandatory password changes doesn't mean that passwords should never be updated. Passwords should be reset when they are forgotten, if accounts have been phished, or if your corporate password database has been breached or stolen.
Enhancing Security with MFA
Because of the growing vulnerability of passwords, it’s important for your organization to develop a strategy that reduces or even eliminates its dependency on them.
At the very least, ensure your organization is following best practices for creating strong passwords. But to truly strengthen security, consider two much more secure options: supplementing passwords with additional layers of security or replacing passwords altogether. Both options are achievable—and cost-effective—using multi-factor authentication (MFA) technologies.
Modern MFA solutions safeguard your enterprise from unauthorized access resulting from stolen credentials. MFA can also save your IT team time and resources by doing away with countless password reset requests.
Today, there are a variety of MFA options available that allow organizations the flexibility to achieve a high level of security, while also meeting compliance requirements and improving user experience.
Newer MFA platforms allow you to tailor authentication methods based on risk level, leverage existing security investments—such as ID cards—and comply with regulations that require strong authentication, such as SOX and PCI-DSS.
The following MFA technologies can be used to enhance security and, in many cases, even replace passwords altogether:
- Adaptive authentication
- Bluetooth proximity
- Contact and contactless smart cards
- FIDO U2F security keys
- Fingerprint biometrics
- One-time password (hard token, soft token, SMS, email, backup codes)
- Push authentication
- RFID cards
Protecting Your Enterprise
Moving away from passwords toward a more secure strategy requires an MFA solution that provides you with flexibility and choice. A one-size-fits-all approach to MFA rarely, if ever, works. Your ideal enterprise password management solution depends on your organization’s unique needs, resources, and goals. Look for a solution—or combination of solutions—that work for all user entry points and types of users who require access to your systems and data.
For many organizations, an MFA solution will provide the level of security required, without inconveniencing users—and your IT help desk—with constant password changes. If your enterprise still uses mandatory password changes, now is the time to move away from this practice. Remember: The majority of breaches occur using stolen credentials. Requiring a second factor exponentially improves the security of the original credential and, in turn, helps to improve the overall security of your entire organization.