Employees are often dictated to change their passwords at regular intervals as well as its length and complexity. Thanks to additional effort, they are not so keen with those ideas and security experts are increasingly asking themselves: “Are such guidelines even effective?” We say quite clearly: “Yes and No!” Why it can be both advisable and even dangerous to stick to clearly defined rules when protecting passwords …
When rules do more harm than good
It has long been unclear, not only among users, what constitutes a strong password and how it should be maintained. Now the Federal Ministry of the Interior for Security (BSI) has deleted the text passage calling for a regular password change. The paragraph on complexity and length has also disappeared. Security experts advise that in the long term it is better to remember a really secure password and not to bother with minimum information.
To change or not to change
But why do password changes make actually sense even though a strong password is already in use? The reason is: There may already be attackers in companies that have not yet been tracked down. Frequent password changes successfully lock them out. But if the password is changed at the expense of quality, the security risk can even increase. In addition: The longer a password is used unchanged – in doubt even for several applications or services – the greater the risk of compromise.
“Not without my old password!”
Nevertheless, employees often feel too much pain when they are separated from their hard-earned mnemonics and character strings. You can’t blame them – it’s like a mammoth task to remember a unique password for each account – and then to change it every few weeks. No wonder that employees resort to insecure tactics to fulfill the last rule of their password policies. So they don’t replace the password, but only change it partially so that they can still remember it. The most popular tactics are …
- append or exchange special characters: Passw0rd!
- append numbers: Password1
- change upper and lower case: PaSSword
- replace numbers: Passw9rd
However, hackers are also familiar with these common patterns and can easily predict such changes on the basis of algorithms and crack the newly set password even faster. As a result, prescribed password changes are rather ineffective and even counterproductive for companies.
Password Managers as a Solution
That password policies are passé is therefore a wrong conclusion resulting from insecure methods of password creation. Thus, recommending that companies leave strong passwords in place can be fatal advice that does not really address the root cause of the problem.
It is better to give your employees useful tips on what a strong password should look like and not leave them alone when replacing them! At best, decouple the password change process completely from your employees by letting them do it automatically with a Password Manager. With the help of a password generator, the number of characters, special characters and so on can be set in advance and the user no longer has to deal with them when creating the password.