Password myth #4: Periodically mandating password changes improves security
Truth: It just makes it more likely users will select weak passwords. Requiring routine password changes was a staple of enterprise security policy until very recently. Some organizations even specify minimum password ages to prevent users from immediately switching back to the previous password, password histories to prevent re-use of passwords, and minimum number of characters to change to assure that a new password is "different enough" from a previous one. Mandatory password changes made sense when the big concern was that passwords may be leaked or exposed, and when the organization has proof that passwords were exposed, forcing a password reset is a good idea. But changing passwords just because an arbitrary number of days have passed? Not really.
The new NIST recommendations say to make password security less complex, because elaborate rules make it harder for users to do their jobs and drive up administrative and support costs for implementing and enforcing the rules. While changing passwords regularly sounds good, it makes it harder for end users to remember the latest password. They respond by reusing passwords or creating patterns that are easy to guess. (Switching from Password1, Password12, Password123, and so forth is one such pattern.)
Sign up for Computerworld eNewsletters.