The practice of mandating regular password expiration is frequently adopted in various security policies. Nevertheless, in the Password Guidance released in 2015, we advised against this practice. This article outlines the reasoning behind our unexpected recommendation and presents our perspective on the best approach moving forward.
To mitigate the risks associated with an attacker possessing a user’s password, it seems logical to render the compromised password unusable by requiring the legitimate user to change it. This advice appears to be straightforward.
However, this perspective overlooks the associated inconvenience for users—the ‘usability costs’—that arise when users are compelled to change their passwords frequently. Many password policies demand that we create passwords that are difficult to memorize. These passwords often have to be as lengthy and as ‘random’ as possible. While manageable for a few passwords, this becomes increasingly challenging as we juggle the numerous passwords required for our various online accounts.
Compounding the issue, most password policies require ongoing changes. When users are forced to change their passwords, they often end up choosing new passwords that are similar to the previous ones.
This creates an opportunity for attackers to exploit such similarities.
Additionally, users might reuse new passwords from other accounts, providing attackers with further vulnerabilities. There’s also a higher likelihood that new passwords will be noted down, representing another risk. Often, new passwords are easier to forget, leading to issues with productivity as users get locked out of their accounts, necessitating password resets by service desks.
This situation illustrates a counter-intuitive aspect of security: the more frequently users are mandated to change their passwords, the greater their overall exposure to attacks. What seemed to be a sound, traditional piece of advice does not hold up under comprehensive systemic analysis.
The NCSC now advises organizations not to enforce regular password expiry. We believe that this reduces the vulnerabilities associated with frequently expiring passwords, with minimal effect on the risk of long-term password exploitation. If attackers have access to the old password, they can often decipher the new one. Moreover, when users are pressured to create new passwords, they might opt for ‘weaker’ variations that are easier to remember.
At the NCSC, we encourage administrators to consider alternative, more effective defensive measures to detect and prevent unauthorized account access. For instance, we recommend utilizing monitoring tools that inform users of their last login attempts, so they can identify if they were responsible for any failed attempts. If not, this could signal an attempted breach, and users should be equipped to report this easily for further investigation. Such initiatives are likely to enhance system security while remaining user-friendly.
For additional details, please consult our Password Guidance: Simplifying Your Approach.
Emma W
People-Centred Security Lead, Sociotechnical Security Group, NCSC
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry
