Over the past decade or so, people have accumulated a vast array of logins for dozens of sites and apps, as more of our work and home lives moves on to the internet. That’s why it has never made sense that so many IT departments have belligerently insisted on maintaining a major hurdle to password management. Namely, the need to change passwords regularly.
It’s a familiar scenario. You arrive at the office and need to log on to your company laptop quickly, before your morning meeting. But speed is not going to be of the essence today, because an annoying prompt has appeared: you need to change your password.
Thank goodness, then, for new US government guidance, which suggests an end to requiring such mandatory password resets. Previously, the US National Institute of Standards and Technology (NIST) recommended organisations enforce password expiration every 365 days, but now it says this is not necessary at all – unless a password has been compromised in a breach.
It’s another nail in the coffin for the practice, which is no longer recommended by organisations including the US Federal Trade Commission, Microsoft and the UK’s National Cybersecurity Centre (NCSC) – which has advised against regularly changing passwords since 2015.
Indeed, NIST is only just catching up with the general consensus as people’s digital footprints reach unmanageable levels, leading to a pile-up of passwords that are difficult enough to remember, let alone change.
The issue with changing passwords regularly is easy to imagine, especially at work. You want to get into a required website, you are in a rush, you’re not feeling at your most creative – and frankly, you don’t care what you need to do to log in. What was once “password1” becomes “password2” and once you’ve accessed the site successfully, you forget all about it.
Attackers know these patterns, so if they were able to work out your old password, they’ll also be able to guess your new one.
“It’s one of those counterintuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack,” says Emma W, people-centred security lead at the UK’s NCSC. “Attackers can often work out the new password if they have the old one. And users, forced to change another password, will often choose a weaker one that they won’t forget.”
And studies reveal that in general people are still using usernames or passwords that are too simple, despite warnings from government and the industry. A recent report by the cybersecurity experts Redcentric suggests that one in five people use just one or two passwords to access all of their online log-ins.
If people are terrible at choosing passwords in the first place, changing them isn’t going to fix the problem. An annual study by the password manager company NordPass reveals the most common and therefore easy to crack credentials each year, and the same ones regularly come up. As well as the expected “password1” and “1234567”, people often revert to using favourite football teams or celebrity names.
Tech giants know that passwords are a flawed system, so they’ve started to make changes to get rid of them altogether, including industry initiatives such as the FIDO Alliance. These aim to push users towards biometrics such as Apple’s Face ID and Touch ID, and even physical tokens such as the Yubico YubiKey, but at the moment, they’re in addition to passwords, rather than instead of them.
So what about passwords themselves? Should we be choosing a complex array of numbers and letters and unique characters to make up our logins? Apparently not.
Experts, including NIST, now say it’s far better to use something you can remember. According to the latest guidelines, passwords should be at least eight characters – preferably more like 15 – up to a maximum of 64. So what about an obscure but memorable song lyric, or a line from a book you love (just don’t use A Tale of Two Cities; it’s too obvious).
Or better still, the NCSC recommends using three random words to create a password that will be “long enough and strong enough” to protect your accounts.
But if you’re thinking of changing certain characters in your password – swapping the letter “o” with a zero, for example – the NCSC warns that cyber-criminals know these tricks too. “Your password won’t be significantly stronger, but it will be harder for you to remember,” the NCSC says.
So what should people do? First, pay attention to the NCSC and NIST guidance as these institutions really know the latest research on security, which can help in your personal password choices.
At work, you should follow the advice of your IT department and perhaps make them aware of NCSC and NIST guidelines if they aren’t already.
The NIST guidelines mark a shift away from the rigid views of the past. The US helps set the standard for the tech world, and they are saying it’s more realistic to meet people where they are, accepting they have different levels of technical ability, which should ultimately help make everyone more secure.
Kate O’Flaherty is a freelance technology journalist