Password Reset Best Practices
Your password is set to expire in 2 days. Please reset your password now.
Many react to this automated message with a grumble or groan. “Again?” “Already?”
From work-related accounts to online banking or shopping to gym memberships, passwords have long been our golden ticket to accessing the online world and keeping our accounts safe. With so many accounts and passwords, it is no surprise that account users often dread when their passwords expire, forcing them to add to their ever-expanding alphabet soup of passwords.
In recent years, industry authorities and experts have begun to call into question the effectiveness and utility of scheduled password expirations. Their research centers around individuals’ poor password management practices and the burden password resets place on end users, often leading them to select predictable, transformative, and repetitive passwords that are easier for hackers to compromise.
This research has been echoed by the National Institute of Standards and Technology and Microsoft, both of whom have suggested doing away with password expiration policies entirely because they are counterproductive. Unless a password has been compromised, they suggest maintaining existing passwords rather than changing them at regular intervals.
Examples of poor common password reset practices include:
- Adding a letter or number to the end of an existing password (e.g., ACAaponix1, ACAaponix2, ACAaponix3, etc.)
- Reusing passwords
- Using easily predictable passwords (e.g., password1, summer2021)
- Writing passwords down
The Problem(s) With Doing Away with Password Resets
Despite the appeal of NIST and Microsoft's’ guidance, there are a few reasons to be cautious about doing away with password resets entirely.
- For starters, password expirations provide necessary protection when other cybersecurity controls are weak or not in place. Many organizations already have pre-existing vulnerabilities or gaps within their cyber defense systems, so by doing away with scheduled password resets, you are only further weakening your firm’s cybersecurity apparatus.
- Second, password expirations prevent ongoing damage by halting unauthorized access that had previously gone undetected or by preventing access to systems that are compromised while the access is in a dormant state. A best practice is to assume that every password will be compromised (stolen, hacked, or bypassed) at some point, and a password expiration policy provides added protection against such an occurrence.
Update password policies to include a longer and more user-friendly expiration period, in combination with other controls.
Instead of doing away with password expiration policies entirely, we advise clients with complementary security controls in place to extend password expiration periods. ACA’s industry experts recommend updating your organization’s password policy to include multi-factor authentication (MFA) and a passphrase requirement consisting of randomly linked words of 15+ characters in length while increasing the password expiration period to every six months. Reducing the frequency of required password resets annually addresses key concerns about the reset process from a user-perspective, while still providing your organization with the ability to thwart or halt unauthorized access that may previously have gone undetected.
It is important to note that password expirations are only one piece of the puzzle when considering authentication and access control best practices for your organization. Password expirations work in concert with other controls such as minimum length, character, and complexity requirements; forbidding the reuse of passwords; and forcing lockouts after a specified number of failed login attempts. When considering extending the time before a password must be changed by your users, we recommend first reviewing whether the following password and access controls are implemented at your firm:
- Enable multi-factor authentication (MFA)
- Use a secure password management tool to store and generate strong and unique passwords
- Employ blocklist requirements to detect and block employee passwords from a wordlist of commonly used, weak, or organization-specific banned passwords
- Utilize least privileged access (only allow the minimum access needed for a user’s role) and conditional access (only allow access from trusted devices/networks)
- Develop a log management plan for anomaly detection
- Conduct risk assessments and subsequent control implementation
- Conduct regular employee cybersecurity awareness training