So you think you know password best practices based on decades of advice – including pointers that we’ve given in the past? The thing with security processes, is that they work best when they’re reviewed regularly, to ensure they’re fit for purpose when it comes to protecting you and your business. Passwords are no exception.
The National Cyber Security Centre (NCSC) have done exactly this, and they are now advising against the long held security belief that regularly forcing users to change their passwords increases security.
“Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.” NCSC
Their reasoning behind this, is that changing passwords regularly doesn’t take into account ‘password overload’ for users. When the average UK user has 22 passwords they’re meant to remember, and these are often subject to password policies intending to make them harder to be guessed, the user is often led to include easily guessable personal information (favourite football team, kids’ names, birthday dates), to create their own simplistic framework which follows the password requirement criteria, but makes every password similar.
Having passwords changed regularly also means users are more likely to write them down- and we don’t need to tell you what a security risk writing your PC login password on a brightly coloured post-it note stuck to the bottom of the monitor presents!
Another point the NCSC make, is that from a business perspective, regularly changing passwords means they are more likely to be forgotten – this costs a lot of time and a loss of productivity from users locked out of accounts.
If you’d like more information about password management options, password security, or implementing features such as single sign on (SSO) which enables staff to have one login to their machine, and from there being able to access everything they need to without more passwords, then we’re happy to talk to you about your requirements.