The problems with forcing regular password expiry, UK National Cyber Security Centre

by

Okay, let’s break down the UK National Cyber Security Centre’s (NCSC) stance on forced password expiry, as highlighted in their blog post “The problems with forcing regular password expiry.” I’ll present the information in a clear, easy-to-understand manner.

The NCSC’s Stance: Stop Forcing Password Expiry

The core message is this: Forcing users to change their passwords regularly (e.g., every 30, 60, or 90 days) is generally no longer recommended and can actually decrease security.

Why This Was the Recommendation (Historically)

The old logic behind forced password expiry was based on these assumptions:

  • Passwords Get Compromised: The thinking was that passwords could be stolen, guessed, or leaked over time. Regular changes would limit the lifespan of a compromised password, reducing the window of opportunity for attackers.
  • Users Create Weak Passwords: It was assumed that users would choose weak, easily guessable passwords. Forcing them to change frequently would, in theory, force them to at least occasionally come up with something slightly stronger.

The Problems with Forced Password Expiry (According to the NCSC and other security experts)

The NCSC’s blog post and broader security research highlight several major problems with this approach:

  1. Predictable and Weak Passwords: The biggest issue is that forced expiry encourages users to create passwords that are easy to remember and easy to change predictably. Instead of complex, unique passwords, users tend to:

    • Make slight variations on their old password: For example, changing “Summer2024!” to “Summer2024@” or “Summer2025!”. Attackers know this behavior and use algorithms to guess these variations.
    • Choose simple, easily guessable passwords: When under pressure to change frequently, users often prioritize convenience over security. They might pick a common word or phrase with a number tacked on.
    • Write down their passwords: To avoid forgetting, people might write down their passwords, negating any perceived security gain.

  2. Password Fatigue: Constantly changing passwords is frustrating and annoying. This leads to:

    • Reduced compliance: Users become less likely to follow other security best practices because they’re already burdened by password changes.
    • Workarounds: They might create “password reset reminder” documents, which are inherently insecure.

  3. Increased Help Desk Costs: Password resets are a significant burden on IT support. Forced expiry dramatically increases the number of reset requests, tying up valuable resources.

  4. False Sense of Security: Organizations might believe they’re more secure because they have a password expiry policy, even though the policy is actually making things worse. This can lead to complacency in other critical security areas.

  5. Focus is misplaced: The focus on password expiry detracts from focusing on more effective security controls.

What to Do Instead: The NCSC’s Recommended Approach

The NCSC and other security organizations recommend a shift in strategy, focusing on these approaches:

  1. Promote Strong Passwords (or Passphrases): Encourage users to create strong, unique passwords or, even better, use passphrases. A passphrase is a sentence or string of words that’s easy to remember but hard to guess. Examples: “My favorite color is electric blue on Tuesdays” or “I love eating pizza with pineapple”.

    • Education: Teach users how to create strong passwords and passphrases. Emphasize length, complexity (a mix of upper and lowercase letters, numbers, and symbols), and avoiding personal information.
    • Password Managers: Recommend and, where possible, provide password managers. These tools generate and store strong, unique passwords for each website and service, relieving users of the burden of remembering them all.
    • Password Complexity Requirements: Implement reasonable password complexity requirements (e.g., minimum length, character variety).

  2. Implement Multi-Factor Authentication (MFA): This is the most important security measure. MFA requires users to provide two or more forms of authentication, such as a password and a code sent to their phone. Even if a password is compromised, an attacker still needs the second factor to gain access.

  3. Monitor for Compromised Credentials:

    • Compromised Password Databases: Monitor databases of known compromised passwords (e.g., Have I Been Pwned?). If a user is using a password that’s been leaked, force them to change it immediately.
    • Anomaly Detection: Implement security systems that can detect unusual login activity, such as logins from unfamiliar locations or at odd hours.

  4. Educate Users About Phishing: Phishing attacks are a common way for attackers to steal passwords. Train users to recognize and avoid phishing emails and websites.

  5. Use Risk-Based Authentication: Implement systems that assess the risk of a login attempt in real-time. If the risk is high (e.g., login from a new device or location), require additional authentication steps.

  6. Strengthen account recovery processes: Ensure that your account recovery processes are robust and not easily exploited by attackers.

In Summary:

  • Forced password expiry is often counterproductive.
  • Focus on promoting strong passwords, using MFA, and monitoring for compromised credentials.
  • Educate users about security best practices.
  • Implement technical controls to detect and prevent password-based attacks.

By taking these steps, organizations can significantly improve their security posture without burdening users with frequent and often meaningless password changes.

The problems with forcing regular password expiry

The AI has delivered the news.

The following question was used to generate the response from Google Gemini:

At 2025-03-13 11:50, ‘The problems with forcing regular password expiry’ was published according to UK National Cyber Security Centre. Please write a detailed article with related information in an easy-to-understand manner.


34

Post Views: 43

Leave a Comment