Why Password Expiration's Time is Up

Now that we're all trying our best to optimize our productivity in these unique circumstances we're living through, it might be time to finally put password expiration to rest.

For years, organizations have enforced password expiration policies, requiring employees to regularly update their passwords. The reasoning was that if an employee's password had been compromised without their knowledge, changing it regularly would make any compromised passwords obsolete and always keep them one step ahead of the hackers.

Shifting attitudes

Although this method of password protection was at a time widely adopted, with a 2016 Forrester survey noting that 77% of IT departments were expiring passwords for staff on a quarterly basis, recent years have seen a shift in attitudes towards it.

Both NIST and Microsoft have spoken out against mandatory password expiration, both citing the following reasons:

It impedes efficiency

Having to periodically update passwords forces employees to drop what they're working on and go through each and every one of their accounts to change its password, which can take quite a bit of time for those with a significant number of accounts. Add to that the fact that they may occasionally forget their new passwords and have to go through the hassle of another reset.

It wastes budget and resources

If time is money, time wasted resetting a password is money wasted resetting a password. In companies where passwords are set and reset by the IT department, not by the employees themselves, regularly updating passwords can actually incur a financial loss; $70 worth of help desk labor for each password reset in fact, according to Forrester.

It encourages poor password practices

Even the most security-conscious employees have their limits. The frustration of having to constantly come up with new passwords, and inevitably forgetting them, pushes employees to adopt poor password practices, like reusing the same password or phrase but with slight variations or storing their passwords insecurely (on sticky notes, in a text file on their computer, etc.).

A new approach

So if companies don't make it mandatory to regularly update passwords in order to discard potentially compromised ones, how can they be sure that none of their employees' passwords have been compromised?

The answer: monitor exposure. There is no reason to arbitrarily reset a password out of fear that it might hypothetically be compromised if that password meets certain criteria that can definitively guarantee that it has not been, or is not likely to be, exposed in a data breach.

NIST recommends comparing passwords "against a list that contains values known to be commonly-used, expected, or compromised" like words from the dictionary, repetitive or sequential characters (ex: abcd, 1234, qwerty, etc.), or passwords obtained from previous data breaches.

MYKI for MSPs' Breach Monitor scans all the passwords you've added to your MSP (including those of your clients) and compares them to a list of passwords exposed in past data breaches. If any of them are a match, MYKI for MSPs will identify them, allowing you to quickly and easily update them with stronger ones that you can generate from the portal directly.

Sign up for MYKI today and start taking control of your digital identity.


Why Password Expiration's Time is Up
Share this