Password Expiration Policy and Best Practices

by Sarah Harvey / July 5th, 2018

Microsoft’s Password Guidance recommends that passwords be set to never expire. Microsoft argues, “Password expiration policies do more harm than good, because these policies drive users to very predictable passwords composed of sequential words and numbers which are closely related to each other.” NIST’s guidance suggests, “Verifiers should not require memorized secrets [passwords] to be changed arbitrarily. However, verifiers shall force a change if there is evidence of compromise of the authenticator.” These concerns and suggestions are valid, but we believe that moving away from password expiration policies altogether is problematic.

What Makes a Strong Password?

Creating an effective password expiration policy goes hand-in-hand with creating a strong password. Both NIST and Microsoft guidance highlight a need to move away from traditionally accepted strong password best practices, such as:

  • Character length
  • Character complexity
  • Expiration date

Instead, NIST and Microsoft claim that strong password best practices should include:

  • Banning common passwords
  • Educating employees to not use their organization credentials anywhere else
  • Enforcing multi-factor authentication (MFA)
  • Enabling risk-based MFA

Following these new best practices and ensuring that users create strong passwords could allow administrators to implement less frequent password expiration dates.

KirkpatrickPrice’s Best Practices for a Password Expiration Policy

At KirkpatrickPrice, we have found that eliminating password expiration policies can lead to a weakened security posture. Users are still likely to create and use hackable passwords, such as variations of birthdays, anniversaries, names, addresses, and other personal information. Because of this, establishing effective criteria for strong passwords and implementing a password expiration policy is crucial in maintaining a strong security posture. To accomplish this, we recommend doing the following when developing a password expiration policy:

  • Education and Training: A key to maintaining a strong security posture is continuously educating and training users on the importance of creating strong passwords. Administrators must set the tone for establishing strong passwords through proper security awareness training. Users must understand what constitutes a strong password, and also what password expiration policy is in place and why.
  • Utilizing MFA: MFA allows users to confirm their identity by successfully presenting two or more pieces of evidence to an authentication mechanism, reducing the risk of compromise. Without MFA and password expiration dates, users are much more likely to be hacked or to be unaware that a hack has occurred.
  • Setting a Timeframe for Password Expiration: It is imperative that a password expiration policy be established. Though research has shown that frequent password expiration dates can be detrimental, that doesn’t mean that you shouldn’t set password expiration dates at all. For example, your password expiration policy could be that passwords expire every two years, but those passwords must meet certain strong password criteria and require the use of MFA.

How is MFA More Secure than 2FA?

Because frequent password expiration dates have been industry standard, moving away from that best practice might seem unnerving. Using two-factor authentication (2FA) and MFA, though, can serve as an additional step in maintaining a strong security posture. However, while a 2FA system is a growing best practice, it isn’t guaranteed to shield against cyberattacks; 2FA systems can be easily bypassed. Instead, we suggest using an MFA system to better ensure security because it requires several separate pieces of evidence to confirm a user’s identity instead of just two. How are you ensuring that your employees’ credentials aren’t compromised?

Have you reviewed your password expiration policy? Do you need help developing your organization’s security awareness training? Ensuring a strong security posture doesn’t need to be challenging. Let us help! Contact us today for more information on how KirkpatrickPrice can assist you in implementing these password expiration policy best practices.

More Resources

The 8-Character Password is No Longer Secure

Choosing Secure Passwords

Two-Factor vs. Multi-Factor Authentication