Password expirations are bad practice and counter-intuitive to what the ultimate goal is. If you have a long, complex, unique password for a system that is not used anywhere else and is stored in a secure password manager that has not been compromised, changing that password is worse than meaningless, it’s actively harmful. No one in the IT or Security field should be advocating for password expirations at this stage of the game. Unfortunately everyone is forced into the practice to comply with PCI regulations that have not kept up with changes in security.
I’d say for a secure password in a manager, it’s not really harmful.
Someone who uses a manager and secure passwords will usually be aware of the “generate me a new unique, secure password” feature, so they will generate a new one and simply paste that into the page. They might be inclined to just add the bad practice “-01” although it honestly doesn’t make a unique, secure password worse unless the unencrypted password was somehow leaked. The delay in emergency situations mentioned in the post might still happen, although the harm there will depend on the exact situation and likely usually fall into the “annoying delay” category.I absolutely agree that forced password changes need to die simply because a majority of users still tries to remember passwords and is therefore prone to bad practices, but for someone with a password manager and unique passwords it’s more unnecessary and annoying than actively harmful.
I used to have a friend’s password somewhere that used rotation and I’d just have to do a quick bit of maths to figure out the final number. Surely there are bots that are smart enough to automate this: mysuperstrongpass01 -> mysuperstrongpass02, mysuperstrongpass03 etc. [edit: the article alludes to this, but then I most of our comments here and on the link are not very original either!]
Password reuse is probably the worst security flaw nowadays, and a strong but reused password is basically no better than classics like password1 after a depressingly small amount of time/services.
I would say that if you need elevated security mfa is the way to go. Frequent forced password changes are counter productive
In a few instances, yes.
-
You might find the task of changing a password frequently to be so tedious that you install and learn how to use a password manager properly, and you use it to generate long random passwords that are unique to every site. Changing your password then becomes a few mouse clicks. This will greatly improve your passwords’ quality, as well as your overall security.
-
If a site improves their password hashing and storage systems, when you change your password the newer passwords will be hashed with the better algorithm. Yahoo has done this a couple of times over the decades. It’s certainly uncommon.
-
When a password has been breached but the loss has not yet been discovered or reported, if you happen to change it after the password has been copied but before it is abused by the thieves, you might dodge the bullet. The odds of this particular timing actually happening in a data breach scenario are pretty slim.
-
The more likely case is that a password is shared with (or learned by) a coworker who abuses it. Rotating passwords in sensitive positions after a personnel change is a prudent policy.
Note that these two scenarios are literally the only justification ever raised in favor of password rotation policies.
- If you are informed that your password was compromised, change it as soon as you can. If you get lucky you might prevent a loss.
Otherwise it has no effect on Confidentiality or Integrity, and a slightly negative impact on Availability as people often forget their new passwords, or waste productive work time dealing with password changes.
-