The problems with forcing regular password expiry, UK National Cyber Security Centre

by

Okay, let’s break down the UK National Cyber Security Centre’s (NCSC) stance against forced password expiry and explain why it’s generally considered bad practice today. I’ll make it easy to understand.

The Headline: Ditching Mandatory Password Changes

The NCSC, a trusted authority on cybersecurity in the UK, has come out against the old practice of forcing users to change their passwords every X number of days (e.g., every 90 days). Their blog post, “The problems with forcing regular password expiry,” highlights why this is no longer the recommended approach. This reflects a broader industry shift based on research and real-world experience.

Why Forced Password Expiry Used to Be a Thing

The idea behind forcing password changes was simple:

  • Reduce the impact of compromised passwords: If a hacker somehow obtained your password, it would only be valid for a limited time before it was changed.
  • Address human laziness: It was assumed people would choose weak passwords and reuse them across multiple sites, so frequent changes would force them to at least potentially pick something different (even if that didn’t always happen).

The Problems with Forced Password Expiry: Why It Doesn’t Work Well

Here’s the core of the issue. Forcing regular password changes sounds like a good idea, but it often backfires. The NCSC and other security experts have identified several problems:

  1. Predictable Password Changes:

    • Users often make slight modifications to their existing password when forced to change it (e.g., “Password1” becomes “Password2,” then “Password3”). This makes passwords much easier to guess. A hacker who knows your previous password has a huge head start.
    • The changes might follow a pattern like seasonal changes (“Summer2023”, “Autumn2023”).
    • Essentially, instead of getting stronger passwords, you often get predictable variations of weak passwords.

  2. Password Fatigue & Reuse:

    • Users become annoyed with constantly having to remember new passwords, leading to password fatigue.
    • They might start reusing the same “slightly modified” password across multiple accounts, negating the security benefit. If one of those accounts is breached, all of them are now vulnerable.
    • People are also more likely to write down their passwords (a huge security risk) when they have to remember a new one every few weeks.

  3. Help Desk Overload:

    • Forced password changes generate a massive influx of help desk requests from users who have forgotten their passwords. This ties up IT resources that could be used for more effective security measures.

  4. Reduced Productivity:

    • The constant password resets disrupt workflows and make it harder for employees to do their jobs. It’s a minor inconvenience that adds up over time.

  5. Focus on the Wrong Threat:

    • Forced password changes address the symptom (potentially compromised passwords) rather than the root cause (weak passwords, phishing attacks, etc.).

So, What’s the Alternative? Focusing on Stronger Security Practices

The NCSC and other security experts recommend a more comprehensive approach that focuses on:

  1. Password Complexity & Length:

    • Encourage or enforce strong, unique passwords. The longer the password, the harder it is to crack. A password manager can help with this.
    • Aim for passwords of at least 12 characters. Ideally, even longer.
    • Complexity requirements (uppercase, lowercase, numbers, symbols) are less important than length. A long, random string of words is often more secure than a short, complex password.

  2. Password Managers:

    • Promote the use of password managers. These tools generate and store strong, unique passwords for each site, so users only have to remember one master password. This is arguably the single biggest improvement most users can make to their security.

  3. Multi-Factor Authentication (MFA):

    • Implement MFA whenever possible. This requires users to provide a second form of verification (e.g., a code from a mobile app, a fingerprint scan) in addition to their password. Even if a hacker gets your password, they won’t be able to log in without the second factor. This is essential for high-value accounts.

  4. Compromised Password Monitoring:

    • Implement tools to monitor for passwords that have been exposed in data breaches. If a user’s password shows up in a known breach, then they should be required to change it. (There are services that can automatically check for this.)

  5. User Education:

    • Train users to recognize phishing attacks and other social engineering tactics that can be used to steal passwords.
    • Educate them about the importance of strong, unique passwords and how to use password managers.

  6. Proactive Threat Detection:

    • Focus on detecting and responding to actual security threats, rather than relying on a blunt instrument like forced password changes. This includes things like intrusion detection systems, security information and event management (SIEM) systems, and threat intelligence.

In Summary

Forcing users to change their passwords regularly is an outdated practice that often does more harm than good. It leads to predictable password changes, password fatigue, and a false sense of security. A much better approach is to focus on stronger password practices, multi-factor authentication, user education, and proactive threat detection. The NCSC’s position reflects a growing consensus in the cybersecurity community: it’s time to retire mandatory password expiry.

The problems with forcing regular password expiry

The AI has delivered the news.

The following question was used to generate the response from Google Gemini:

At 2025-03-13 11:50, ‘The problems with forcing regular password expiry’ was published according to UK National Cyber Security Centre. Please write a detailed article with related information in an easy-to-understand manner.


30

Post Views: 17

Leave a Comment