Listen to the article (AI powered narration)

Published on July 28, 2020

According to the most recent version of the NIST cybersecurity framework, it’s no longer advisable to mandate periodic password resets. For years now, thought leaders in the space, including Lorrie Cranor, the former chief technologist at the FTC, have been arguing that mandatory password resets are counterproductive to password security. Back in 2015, a quantitative study from Sonia Chiasson and Paul van Oorschot, two scholars at Carleton University’s School of Computer Science, found that forcing employees to do password resets resulted in “questionable benefits.”

The general rule of thumb in 2020 is that you only need to force employees to change their passwords if there has been evidence of a breach, and large enterprises are taking note. The official line from Microsoft is: “If a password is never stolen, there is no need to expire it.” That said, the Seattle-based tech giant recommends that enterprises use two-factor authentication (2FA), while also enforcing banned password lists and requiring employees to use passwords of a certain complexity, length, and history. As long as these protections are in place, there is no need to mandate periodic password changes. In fact, requiring password resets can make your network less safe.

Employees create similar passwords and rely on Post-it Notes

To begin with, the average business user has an average of 191 passwords. With so many passwords to remember, employees tend to create similar passwords when they’re forced to change their existing passwords. This, in and of itself, is dangerous, especially if there has been a breach in the past. Moreover, frequent mandatory resets cause some employees to resort to writing passwords on Post-it Notes at their workstations.

It causes employee downtime and places an undue burden on service desks

To be sure, there are monetary consequences associated with mandatory password resets, as employees aren’t able to work while they wait for a system administrator to assist them. According to a 2018 Forrester report, the average cost of a password reset is $70.

As Cameron Covert, Zoho director of US events, explains, “The whole time you’re trying to figure it out, you’re not working. At a minimum, you’re looking at downtime of at least thirty minutes.”

Password resets become especially frustrating for employees who work from home. Covert laments, “When you forget your password, you have to call your sys admin. And lot of employees don’t know what their sys admin’s phone number is. Plus, you can’t get on your internal chat tool—be it Cliq or Slack or Google Chat—so you can’t message your support team. It’s a headache, especially if you’re working from home.”

Weakening employee morale

Employees find frequent password resets to be a nuisance. Tom Phillips, Zoho operations manager says, “I understand the reason for [mandatory password resets], I guess, but selfishly as a user, it’s very annoying. Also, I put all my passwords in a sheet, so if somebody gets their hands on that sheet, they can ransack my identity. All bets are off at that point.”

Conclusion

Although the NIST framework now suggests that mandatory resets are unnecessary, it’s important to point out an important caveat: passwords are here to stay for the foreseeable future. This is true, even though 81% of hacking breaches are due to compromised passwords. Passwords are arguably superior to biometric information because unlike biometric data, passwords are either completely right or completely wrong.

Biometric information that is partially correct can sometimes unlock accounts; for example, studies have shown that some children’s faces are similar enough to unlock their parents’ accounts. Also, there have been several cases of stolen fingerprint data, and once this biometric information is stolen, it can’t be undone.

As Microsoft’s new password policy makes clear, multi-factor authentication is key, and passwords should always be of a certain length and complexity. While it’s wise to discontinue mandatory password resets, it is also important that enterprises bolster their account security in other ways.

Tools that facilitate mobile device management, privileged access management, and remote password resetting can strengthen your enterprise’s password security. Also, log monitoring tools can be put into place, ensuring that any anomalous activity is detected in time. The bottom line is—you should feel free to abolish mandatory password resets, but don’t neglect your other password security initiatives.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x