Don't change passwords regularly, there are only two reasons

May 19, 2020

The password is still the main authentication mechanism for most services. By the password, the service recognizes that you are the right user and you can get access. There are many myths and errors that have long been around passwords for many years.

Changing your password regularly leads to shortcuts

"Your password will expire in 6 days, change it." A message that has haunted users for many years. The user is forced to change passwords in regular cycles and the reason is, that it increases security.

The user pushed to constantly change the password unnecessarily necessarily slips to the shortcuts. He will look for the easiest way to meet the set rules without complicating his life too much. The traditional procedure is to add a number at the end of the password: password1, password2, password3. If the system resists such a trivial change, we will try something better: password-January, password-February and so on.

It's logical: the user has to memorize a lot of information, and if one of them has to keep changing, it causes a lot of memory problems. Our brain is not built to remember a complex combination of characters every two weeks. Thus, the only relief may be to create a memorable combination.

Therefore, changing the password regularly leads to the exact opposite behavior than intended. The user chooses a trivial password, which he then changes very easily. If we further complicate his life with rules, he will try to fulfill them with the least effort. In the worst case, office workers stick a piece of paper next to the monitor and write passwords on it. You really didn't want this.

The US government standardization organization NIST already warns in the latest recommendations against changing the password and warns about these problems. Its recommendations are followed by the authorities in the United States, but are also adopted by many private organizations.

Strong and permanent password

A much better way is to set simple minimum rules and allow users to create a strong long-term password. They should not be limited by the number or type of characters. Does the user want to compose a password from emoji? Why should we stop him?

If the user knows that he can use the password for a long time, he will not be demotivated during its creation and will be able to create a stronger password. He will know that one strong combination will be enough for a long time.

For critical services, it is recommended to add a second factor to the login, for example to confirm the login on a mobile phone or by inserting a smart card into the reader. This will make life easier for users and ourselves, because we will not have to put so much pressure on the strength of the password.

There are only two legitimate reasons to change your password: strengthening your password and suspecting password leak.

Password recovery

The user should definitely be able to change the password at any time and should do so if he chooses a stronger password. For example, he may start using a password manager and may want to generate new passwords at random. This is definitely an effort for a stronger password and a reason to change.

Similarly, over time, a user may find that their original password really wasn't chosen very well and securely, so it would be a good idea to come up with something more powerful. In such a case, changing the password is definitely a positive thing, and if the user is not forced into it, there is a good chance again that he will come up with something meaningful.

Suspecting leak

The second legitimate reason to change the password is the suspicion of leakage. If the user finds that someone was looking over his shoulder while entering the password or the administrator finds a breach into the system, then there is reason to change the password. However, it must be sufficiently explained to users, point out possible risks and then it is possible to proceed with the change.

Of course, this should not be too often again, because that brings us back to bad habits. Password compromise does not come very often and can be recognized quite well. It is possible to add the entire domain on the Have I Been Pwned website and the administrator will then receive notification if any sensitive data appears in a published password leak.

Don't force users to change passwords

So the recommendation is: don't force the user to change the password unnecessarily. It will not bring any real security, you will just mindlessly follow the outdated rules. Changing your password should be an exceptional event associated with a specific problem or an effort to prevent it.