Recently I was directed to this article:
I've always been unhappy with the advice given there, that we should change
our passwords regularly. To me, you should choose hard passwords, and that
makes them difficult to remember. As a result, changing them regularly would
So I was interested to read this "toot-storm" on Mastodon by
- Alrighty, time to lay down the lore of the evolution of
password management best practices, and why it is that
[ the above ] is a bad article.
- First, the current best practices say that your passwords should be:
in THAT order. Unless there is a specific reason to
believe that the service has been breached, there is
no reason to change them.
- 1. Unique
- 2. Long
- 3. Complex
- Password rotation was deprecated last year in
NIST Special Publication 800-63-3:
Digital Authentication Guidelines - there is no
longer a requirement to expire or rotate credentials
on a regular basis.
- Now for the lore: why was password rotation a thing?
- This hearkens back to the 1990s and earlier, when
credentialing worked a bit differently.
- You see, the biggest concern at that time was the
ability of an attacker to bruteforce a login - together
with the [usually fairly short - 8 character maximum on
many systems!] length of most standard credentials meant
that there was a real possibility they could be forced
- So under that regime, it made sense to recommend rotating
credentials - at least as often as you would expect them
to be cracked by an attacker.
- However, since that time, we have learned how to do other
things, like "account lockouts" after some number of
incorrect logins, and have created the concept of the
password manager, and have also learned how to export
system logs to SIEMs to look for that kind of bruteforce
attack. Also, key-based logins are available.
Two factor authentication.
- All of these things mitigate, in different ways, the old
- So NIST, correctly, has revisited the old recommendations,
and realized that the bigger threat today comes with
credential reuse; and that reuse is exacerbated when
people have to keep changing their passwords.
- People will tend to use shorter, easier-remembered, and
non-unique creds under those circumstances.
- So the risk involved with that is greater than that of
a longer-duration password lifespan.
- In addition, the modern hashing algorithms are a lot more
expensive to run than the old ones - which, combined with
the recommendation for longer passwords, means that
bruteforcing is already a much less practical attack,
even before considering the other mitigations.
- So there you have it: why password rotation is no longer
recommended as a best practice, and an overview of how
that came to be.
Then @email@example.com chimed in:
- Reuse is much more of a threat than misuse in most
practical cases - when you incentivise people to
reuse passwords you make it such that a compromise
in one place means a compromise in many.
- @munin replied:
- That is absolutely correct, and it's what drives me
up the wall about so many of these people who, e.g.,
disable paste into password fields [thus defeating
password managers] - they're encouraging the worse
risk to 'defeat' a trivial, unlikely one.
- Of course, it will be five years or more before most
policies various government and corporate entities are
required to follow will be updated to suit that.
- To which @munin replied:
- And that's why I'm posting this kind of thing
regularly - so that people will have that information
and can advocate for the change in their own orgs.
So there you are - a succinct debunking of the "change your passwords regularly" mantra.
Suggest a change ( <--
What does this mean?) /
Send me email
Front Page /
All pages by date /
Site overview /
Top of page