Why do people change their password 90 days?

Has the thinking on password change frequency changed again?  I thought the most recent recommendation from NIST was to change passwords when they were believed compromised.

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

Ditto on longer password changes and better passwords.  We do every 6 months as somewhat of a compromise and encourage more of a pass phrase of several dictionary words with a few numbers and special characters.

Spice (9) flagReport

As ich.ni.san has pointed out, please add: when they were believed compromised

Spice (3) flagReport

Yes, a poll option to follow NIST recommendations seems appropriate. 

Spice (8) flagReport

Here are my recommendations:

• If you've got long, complex passwords unique to each site, you haven't written them down or shared them (outside of a LOCAL password safe), they relate to nothing about you or your family, and you're using MFA: never, or when you feel like it
• If you store your password in a secure online database: annually
• If your password is short (<12 characters) or guessable: 90 days, to prevent brute force of a compromised authentication database
• If you shared your password: 60-90 seconds
• If your password is compromised: yesterday

Don't forget to change your short, guessable, not complex answers to your security questions every 90 days, too! And guard your unencrypted-in-transit email closely, because the password resets go there.

(Passwords just need to go away as an authentication scheme.)

Spice (18) flagReport

Added a "When they are believe to be compromised" option along with the ability to re-vote! 

Spice (5) flagReport

Longer with character/s, number/s and combination of capital and lower case letters could make your password a little more difficult to crack than normal and usual words. 

We're up to annually now, with longer charachter requirements and MFA in place.

Short password expiry = more secure has been a debunked theory for quite some time now.

Odd how a password vault supplier is pushing the date "change passwords often" mantra isn't it (ok i'm just a cynic i know)

Spice (6) flagReport

We're annual for Office 365 with MFA required.  For our domain, due to PCI compliance standards requiring it, we're at 90 days.  I'd love to know a way to push out the domain password requirement farther and still comply with PCI (can you argue that MFA is a compensating control, for example?)

We do it yearly or when it has been compromised. We use complex passwords and an encrypted password management software so they are pretty secure. Unlikely to get breached via conventional means.

My "old farts" would just add another post-it next to that from the last year.. MFA is fine but you have to limit the possibilities as to what they can use for MFA (Mobile, hardline, mail etc.). Mobiles tend to get lost or are reset if not connected to MDM. Private email is a horror, bc the user is expected to manage the security of the private mail account..  As always, exspected behaviour and what is actually done are two diffrent things. There are possibilities to enforce some kind of behaviour but if there is a chance to fubar it all, there is someone who will take it.

Spice (3) flagReport

You should think about adding 365 days or 1 year.   Saying this for a friend.

Spice (1) flagReport

Here is the funny thing.  We have just started rolling out FIDO2 keys as MFA.  We expect to lose a few but people are already used to using lanyards with our paxton keyfobs, people just add the yubi to it now.

For the average user here it's the standard 90 days, although I would prefer we ditched that in favour of what even Microsoft recommends of having much longer, complex passwords (or better yet, passphrases) that are only changed when compromised. That would make things far less of a headache for us when it comes to people complaining about the "VPN not working" and they just had an expired Windows password, among other woes.

Spice (3) flagReport

Only when compromised.  But as opposed to sitting around waiting for that to happen, I speed up the process.  Using an unfair advantage (access to the AD SAM hashes) and advanced knowledge of my users, I crack passwords periodically to find the weak links.  This involves clicking a button and walking away for a few days to come back to the results.  When a password is found, the user is instructed on how to create a long, memorable, and hard to crack password.  The average length of passwords used by my users after the instruction is somewhere around 25 characters.  Even better, not a sticky note in sight.

Spice (3) flagReport

I was of the opinion that if your password was crap, it doesn't really matter how often you change it, with regards to brute forcing a password, changing from Soccer9 to Soccer10 might save you a picosecond in a dictionary attack, maybe a nanosecond if you change it to Football9. Obviously if it's known compromised it should be changed.

Spice (1) flagReport

ckcoder wrote:

... Even better, not a sticky note in sight.

That is good.

Apologies in advance for repeating something I've posted before, but it's a true story and I think very relevant.

20+ years ago, an IT manager proudly explained to me how in their office, he enforced all sorts of password rules including very short expiration dates (I think it was 45 days).  I walked over to a desk belonging to a very hard working, no nonsense office manager, lifted the keyboard, and showed the IT manager a post-it with a password.

I did not know ahead of time the post-it would be there, but knowing the desk's occupant, I thought its presence to be extremely likely.

The IT manager was not happy.  I did not make him happier when I asked him what he had expected.

Spice (6) flagReport

ich.ni.san wrote:

Has the thinking on password change frequency changed again?  I thought the most recent recommendation from NIST was to change passwords when they were believed compromised.

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

UK National Cyber Security Centre is similar -

Don't enforce regular password expiry

Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.

Forcing password expiry carries no real benefits because:

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

Personally I'd favour FIDO keys for MFA.

Spice (5) flagReport

ich.ni.san wrote:

Has the thinking on password change frequency changed again?  I thought the most recent recommendation from NIST was to change passwords when they were believed compromised.

https://pages.nist.gov/800-63-3/sp800-63b.html#sec5

I've tried to convince management of not forcing password change at the last couple of places I've been at but they overruled me. Thankfully I was able to make mine long enough and check the box for password never expires.

Spice (2) flagReport

From Microsoft

Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.

We are still expiring them once a year but I am pushing for never :-)

Spice (9) flagReport

What means "compromised" is the question. Coworker sharing passwords for "really important reasons..." is one way a password can be compromised IMHO.I know sharing is caring but not in this context. I would follow NIST and never change unless it is really compromised but as long as my users do that i can't 

So my answer is 61-90 days. its exactly 90 days here. 

Spice (1) flagReport

APin wrote:

What means "compromised" is the question. Coworker sharing passwords for "really important reasons..." is one way a password can be compromised IMHO.

I no longer fuss much when I find out that an executive shared a password.  I don't even dig into the why.  I just force a password change for them.

And, forcing that change has done more to prevent sharing than all of the explanations and admonishments ever did.

Spice (8) flagReport

The "standard" 60-90 days was old information and no longer valid.

Spice (2) flagReport

Yearly, or anytime there is any indication of possible compromise. We enforce a 20 character minimum (25+ for our admins) and only force you to change yearly if there are no suspicious events, and I honestly still think that's too often. if they're not compromised, and there's nothing suspicious about the login attempts, you're just forcing folks to have to re-learn their password and putting extra strain on your Level 1 technicians. 

Spice (4) flagReport

ich.ni.san wrote:

I no longer fuss much when I find out that an executive shared a password.  I don't even dig into the why.  I just force a password change for them.

And, forcing that change has done more to prevent sharing than all of the explanations and admonishments ever did.

When i find out i do the same. When i started here i found some coworkers passwords glued to a monitor frame and so on....now they hide those notes much better. I'll stick with the 90days until top level approves our 2FA project. 

Spice (1) flagReport

In my previous company the policy was every 90 days and they made sure it was a complex password, Alpha Numeric, Upper lower case with a special character. I thing a group of the users go together and came up with the following

WinterSpringSummer

Autumn

to cover off the Upper and lower case part of it

xxxx as the year followed by a full stop

so it would become depending on the time of year

Winter2020. etc

Spice (2) flagReport

We have it set to 90 days to change with minimal amount of characters and the usual numbers, characters requirements

But i did read a good article stating that having a lot of requirements within the password actually makes the password weaker, they suggested just increase the length of the password to  a minimum 12 characters and than get rid of all requirements and the usual 90 days password changes. 

Spice (1) flagReport

I change passwords as less often as possible.

Edit: At this moment in time I have 216 passwords in my passwordmanager

Spice (1) flagReport

For our audit we have to "periodically" change our domain passwords.  We were able to justify moving from every 60 days (8 character min, complex) to 180 days (12 character min, complex), and have MFA.  I preach about passphrases to anyone who will listen--and those who don't!  We also use LastPass company wide. 

Bitwarden has a great passphrase generator (the URL says password, but there's a toggle for passphrase).

https://bitwarden.com/password-generator/

Personally, I have MFA on every account possible, and only change passwords when there's as suspected compromise. 

You guys change your passwords?  Lunacy!

If MFA is used, do not force people to change their password that often.  Changing passwords every 60 - 90 days, is likely to DECREASE security.

Spice (3) flagReport

As often as I change the sticky notes on my monitor.

C.J.R. wrote:

At this moment in time I have 216 passwords in my passwordmanager

I have 257 unique credentials in my personal password manager and 430 in my business password manager.  Can you imagine how long it would take to rotate those passwords every 60-90 days? 

Spice (2) flagReport

Chris2741 wrote:

We're annual for Office 365 with MFA required.  For our domain, due to PCI compliance standards requiring it, we're at 90 days.  I'd love to know a way to push out the domain password requirement farther and still comply with PCI (can you argue that MFA is a compensating control, for example?)

PCI is specifically worded that the only way it is acceptable to have a password be valid for longer than 90 days is if the system outright can't support it. At least that was true the last time I looked at the DSS.  The expiry requirement is probably a byproduct of the wholly inadequate password length requirement - a whopping 7 characters.Forcing users to change passwords just leads to many people having passwords like Spring2022, Summer2022, Winter2023, ... you get the picture.  People aren't going to put in the effort to make and remember a complex password when they are forced to change it on a schedule.

Long passwords/passphrases should be the standard.  A minimum of 18 characters, and no complexity requirements (should be encouraged, but not enforced).  Passwords/phrases should be checked against a dictionary if possible to ban known and overly simple passwords.  No requirement to change on a schedule.  However, if you click on a phishing email, you're changing your password.  And, of course, for any other indication that the password may be compromised.

Spice (1) flagReport

Although NIST may have changed their recommendations regarding passwords, a lot of different compliance standards have not. We're stuck with 90-day password changes and MFA across all departments to be compliant.

I believe my users change their passwords based on when the adhesive on the sticky note has failed, or they get a new keyboard... ; )

Past that, long passwords and really because I'm old school, annually. I mean, if you can crack the password that will take 270,000 years to brute, you can just go ahead and have my data. But just in case you're lucky we'll just change it so we remember how...LOL

If I'm forced to set one for someone else, my favorite disposable complex passwords are emoticons :

:)4ASmile

;)4AWink

I think I still have a coffee cup somewhere with the old school list on it somewhere...

I'll echo some previous comments. Personally I have different passwords and 2FA or MFA setup on all my different accounts.  IF they can get into one they will not be getting into another. 

Spice (1) flagReport

We would be hunted down and killed if we made people change passwords more frequently than annually. That was a compromise. The people who pay us wanted never as an option.

Also as part of the compromise, we make them use MFA.

Spice (1) flagReport

It depends on the source

Some every year or 6 months

Others only when needed if there are 16 chanter's or more

It depends on policy and 2 factor

This poll has a lot of unaddressed conditions. 

• With or without MFA?  
• For TheOnion or my bank account?
• How long/strong of a password?
• With or without alerts that the account has been accessed?

Spice (5) flagReport

The poll options really seem to be based on old data about what's considered best practice.

Spice (4) flagReport

20 character minimum seems brutal and 25 seems ridiculous. Honestly coupling that with a yearly change is just asking for users to write down their passwords and make it even easier for someone to get a high level password in your company. @Jrx1216

Spice (2) flagReport

I selected "whenever" or whatever the whenever-type option was ...

Work forces a password change on AD accounts every 90(?) days.  We also use 2FA/MFA for the M$ online stuff (Office, Azure, etc.).

Personally ...

What's a password?  I've been using passphrases for the important accounts (bank, personal PC, etc.) for decades, and only use passwords on unimportant things that pose no threat if the are infiltrated.  Also, I started using 2FA/MFA a few years ago ... got 13 accounts in Authy now.

All (well, almost all) accounts use a different password or passphrase, even/especially the "throw-away" accounts ... that why there's over 400 entries in my password safe (KeePass).

As many have already said, enforcing cyclic password/passphrase changes REDUCES security - I won't bother to reiterate why.

Spice (1) flagReport

I'm thankful I have 1Password to alert me of possible compromised passwords; I've nearly changed several dozen to strong pw's plus 2FA, shouldn't have to change anything for a while.

We use SpecOps to handle passwords. We used to have a real problem with the Spring, Summer, Fall (or Autumn), and Winter, as well as the year. Now we can ban those and other words. It automatically checks for compromised passwords based on recent leaks. My favorite feature so far though is the gamification; we are able to set levels of expiration depending on password length. If your password is 8-13 characters - reset every 100 days, 14-19 - every 150 days, 20 plus, every 200 days. That feature alone has been night and day for our org's average password length. 

People also love the fact that it will tell you why your new password doesn't work, it actually tells you why.

Spice (1) flagReport

At a previous employer the passwords were only changed when 1) there was a compromise 2) when the Man in Charge said to, which was never, because when we did enforce a policy, we spent way too much time resetting passwords that the users had just reset and forgot, or forgot to update their post-IT! 

Spice (2) flagReport

rrpIT wrote:

20 character minimum seems brutal and 25 seems ridiculous. Honestly coupling that with a yearly change is just asking for users to write down their passwords and make it even easier for someone to get a high level password in your company. @Jrx1216

Have to disagree with you here. Jrx1216​ explains a much more secure method - a passphrase is much more secure than any other combination of upper/lower alpha/numeric requirement. Having a 16 character minimum with no other complexities and yearly expiration is about as secure as you can get with user passwords. It's best to have a space somewhere in the passphrase.

I'm pretty sure Roger (KnowBe4)  did an article on password complexities and the benefits of passphrases over shorter complex passwords.

Spice (1) flagReport

2FA - every thirty seconds....New Code/token

The biggest problem with constantly changing passwords and not allow old ones  is the Sticky Note Security Breach Syndrome because no one remembers their password. Or they type it in the NOTES section of the phone.

First 5 places I look for passwords 

(1) Sticky note on monitor

(2) Sticky Note on back of keyboard.

(3) Sticky note in top drawer of desk.

(4) Notes app on cell phone.

(5) Contact in phone.

Of course once you break in the CPU usually just search for an Excel spreadsheet named Passwords and you will probably find a whole list of user name  passwords that user uses on different sites.....

Sometimes too much security can cause people to circumvent those procedures out of convenience or patience....

Spice (1) flagReport

rrpIT wrote:

20 character minimum seems brutal and 25 seems ridiculous. Honestly coupling that with a yearly change is just asking for users to write down their passwords and make it even easier for someone to get a high level password in your company. @Jrx1216

as PCC Bob​ mentioned, we suggest our users do passphrases. Telling even a blue collar worker to remember "I grew up on th1rd street!" is way easier for them than remembering "Xuz25@r3jGit". That's 26 characters vs 12. Obviously we tell them to use a phrase that's easy for them to remember, but hard for someone else to guess, but combined with MFA, it's been a hugely successful rollout for us. We've actually seen folks do significantly more than 25 once they realized how easy a phrase can be to remember. Especially the folks that like to include profanity... just string together a bunch of profane words and your bosses name, and you've easily got 30 characters! Throw in some special characters for complexity requirements and you're golden! :p 

 The only problem is that when the yearly reset wave rolls in, it's a huge burden on our helpdesk, and I personally think we should stop with the yearly reset. 

Spice (5) flagReport

NIST (and now Microsoft, following NIST's) official recommendations from NIST SP 800-63, says don't change passwords unless you know they've been compromised. The problem is you usually don't know when they've been compromised. I wrote an article on this last year:  https://www.linkedin.com/pulse/why-passwords-must-periodically-changed-roger-grimes/.

Additionally, I'm working on a big password whitepaper that will cover this topic among many others, which I think will become the definitive guide on password policy (showing how humble I am). <grin> I should have it finished in another few weeks, but when KnowBe4 publishes it will be another thing...but not too many months out. But I've got a ton of good research and a really good approach that I'll recommend based on the data. 

I also created this infographic regarding my previous password policy recommendations (shown below), but it does not include my latest thinking...which is mostly...make your passwords longer, especially if you use Microsoft Active Directory. 

Spice (2) flagReport