How old are your passwords? Almost half of the 2,000 U.S. and U.K. respondents in a TeleSign survey admitted they have not changed their passwords in five years. Even worse, more than 20 percent of them were using passwords that were more than 10 years old.
You likely will not get much argument that these passwords are too old. But how often should you and your employees change them? Surprisingly, this is a not an easy question to answer.
For many years, security experts recommended changing passwords frequently, usually every 30 to 120 days. However, a Microsoft study questioned that conventional wisdom — wisdom that even Microsoft product documentation touted for years.
The Microsoft study found that frequent mandatory password changes cost billions of dollars in lost productivity with little security payoff in return. Frequent password changes are not as effective nowadays because hackers have machines that can crack weak passwords in seconds. Once they have a password, it is doubtful that they will wait even a week before exploiting it. Thus, changing passwords every 30 to 120 days does little to increase security.
Requiring strong passwords, in addition to mandating frequent password changes, can even weaken security, as some chief information officers point out. Employees are becoming frustrated with having to constantly create and remember strong passwords. A Janrain studyrevealed that 38 percent of the 2,208 adults surveyed would rather scrub toilets and tackle other household chores than try to come up with yet another password. As a result, they might resort to using variations of old passwords, re-using the same password for multiple accounts, or writing down passwords.
While it is not a good idea to require frequent password changes, you should not go to the other extreme and never require them. You need to find a happy medium. The Information Technology Laboratory at the National Institute of Standards and Technology recommends that you set different password expiration policies for the different types of systems and software in your business. That way, you can have employees change their passwords more often for high-security systems and software and less often for low-security systems and software.
You also need to make sure that employees understand how risky it is to re-use the same password for multiple accounts. Hackers know that re-using passwords is a common practice, so when they crack the password for one account, they will try using it to access other accounts. Similarly, they will try opening other accounts with variations of that password.
Creating and remembering a unique strong password for each account can be challenging for employees, even when they do not need to change their passwords very often. Using a password management tool can make this task much easier for employees. They can have the password manager automatically create strong passwords. The password manager will also store those passwords so that employees do not have to remember them. Besides having happy employees, you can take comfort in knowing that your company’s accounts are protected with unique strong passwords. It is a win-win situation for everyone, except hackers.