Why You Might Still Need to Change Passwords Regularly
There's been a lot of discussion recently regarding changes in some widely adopted password policy guidance from the US National Institute of Standards and Technology (NIST). One of the more interesting developments for many of us is the removal of the need to change passwords every couple of months. While the original guidance was based on reducing the time a hacker would have access to your account if they were able to compromise your password, the realities of how this guidance was followed by many (e.g. by incrementing a number such as 'Example03' to 'Example04') left this advice annoying us far more than it protected us. In the latest revision of their guidance, the following is now expected to be implemented by anyone controlling an account:
Basically, as long as you're confident no one else knows your password there is no real need to change it. Awesome, right?
Before you go running off asking your IT guy to stop making you change your password every 90 days, there may be a big barrier standing in their way: Industry Standards Bodies
Sadly while this change in guidance is something we'd all love to see implemented today, bodies such as the Payment Card Industry and Australian Signals Directorate still need a bit of time to review the recommendations and update their standards. Here are some examples that might prevent you from adopting these changes in your business:
If you were to remove settings that changed passwords regularly from your business systems and you are subject to compliance with these standards, you may find yourself in a tough spot. If this is your business for the time being your best bet might be to leave these settings in place and hope they get relaxed in future revision.
Here's a big list of other standards that you might need to consider before you make this change:
If your business isn't subject to these standards, now would be a great time to review these guidelines and consider some updates to your policies.