FTC Chief Technologist Lorrie Cranor wrote in March it is time to reconsider mandatory password changes.
Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)
The prime reason given is users pick bad passwords. That doesn’t seem like a justification to me to not change passwords. It is a problem that could be avoided by using a password similarity rule in your password rules. You could force longer passwords to encourage passphrases. I do agree government password policies get a bit ridiculous (8 digit pin that must be changed used in conjunction with SecurID. That just seems like overkill).
I like to use a password manager. This allows most of my passwords to be something long and unknown. They are protected by a strong password, and a second factor of authentication. Educating people about using these tools seems like a great way to go. At any rate, I didn’t want to make this rare post a rehash of old password arguments. The Cranor post is worth reading.
This week Troy Hunt of haveibeenpwned.com received a copy of 68 million accounts from Dropbox. A hack occurred in 2012 and at the time Dropbox forced a reset to some accounts. If a user didn’t change their password since that hack they would be effected. If they changed that password, but used the same credentials elsewhere they would be effected.
The idea of changing the password only in case of known compromise is defeated when you realize that you don’t always know about compromise. Companies don’t disclose. Or they don’t force a password change and you miss the announcement. Or you change the password for that account but use the same password somewhere else.
While changing a password every 90 days is overkill for most accounts, there is a happy medium between that and never changing them. Using a password manager (or at least the correct password manager) will let you know the age of your password (age starting from the point you add it to the database . Obviously it doesn’t know the actual password set date. Some password managers are able to attempt change the password for you, so you only have to click a button (works on specific sites only).
In either case proactive monitoring for compromise is important. You can enroll your username or email at haveibeenpwned.com to be notified about new breaches that affect your accounts. Some password managers have this functionality built-in.