Why You Might Still Need to Change Passwords Regularly

There's been a lot of discussion recently regarding changes in some widely adopted password policy guidance from the US National Institute of Standards and Technology (NIST). One of the more interesting developments for many of us is the removal of the need to change passwords every couple of months. While the original guidance was based on reducing the time a hacker would have access to your account if they were able to compromise your password, the realities of how this guidance was followed by many (e.g. by incrementing a number such as 'Example03' to 'Example04') left this advice annoying us far more than it protected us. In the latest revision of their guidance, the following is now expected to be implemented by anyone controlling an account:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

— NIST Digital Identity Guidelines

Basically, as long as you're confident no one else knows your password there is no real need to change it. Awesome, right?

Before you go running off asking your IT guy to stop making you change your password every 90 days, there may be a big barrier standing in their way: Industry Standards Bodies

Sadly while this change in guidance is something we'd all love to see implemented today, bodies such as the Payment Card Industry and Australian Signals Directorate still need a bit of time to review the recommendations and update their standards. Here are some examples that might prevent you from adopting these changes in your business:

“Change user passwords/passphrases at least once every 90 days.”

— PCI DSS 3.2 Section 8.2.4

“Agencies must:
- ensure that passphrases are changed at least every 90 days
- prevent passphrases from being changed by the user more than once a day
- prevent passphrases from being reused within eight passphrase changes
- prevent the use of sequential passphrases where possible
- prevent passphrases being stored in cleartext.”

— ASD ISM Control 0423

If you were to remove settings that changed passwords regularly from your business systems and you are subject to compliance with these standards, you may find yourself in a tough spot. If this is your business for the time being your best bet might be to leave these settings in place and hope they get relaxed in future revision.

Here's a big list of other standards that you might need to consider before you make this change:

https://www.unifiedcompliance.com/products/search-controls/control/7688/

If your business isn't subject to these standards, now would be a great time to review these guidelines and consider some updates to your policies.

Looking for some help managing passwords in your business? Check out our cyber boot camp program for small business and start adopting these and more best practices in your business in less than 5 minutes at a time.

Help me Manage Passwords

Best PracticeAdam Selwood21 August 2017Passwords, Industry Standards, PCI, ASD, ISM