Unfortunately, many companies still have security policies according to frequently password changes for endusers. Which first sounds like a good idea may fastly result in a less better security – I also often call this security by obscurity. So, why is password rotation a bad idea nowadays? First, let us have a look at the past before year 2000, where users had really short passwords with less than 10 characters. Many dynamic websites (e.g. free mailers, etc.) at that time enforced a password length of 6-10 characters and did not accept any special characters. As a result, it came to the well known passwords like abc123, 12345678, gyptazy2000, gyptazy89 etc. where users created an easy to guess combination of names, birthdates etc. With more compute power, brute force attacks became more easy. As a result, passwords got longer including further special characters. Within the first iteration, many special characters like $ (USD), ‘ (single quote), “ (double quote), ` (backticks), | (pipe), % (percent), and etc. were forbidden or stripped because of a bad underlying SQL database usage. You may remember easy SQL injections based on bad and dangerous statements like (at this point, please do not take care about missing hashing and salting, this is not part of this article and unrelated):
password = "SELECT * FROM users WHERE password = '" + password + "'";Some time later, by giving users the possibility to use longer passwords with special characters, passwords were mostly still easy to guess by using leet speak. A user with the nickname Devil, born in the year 1988 (and published his birthdate on MySpace (good old times), Facebook, StudiVZ etc.), might have used the password D3v!L88. As another example, someone with the first name Matt might have used M@tt88!. The same applies to Jennifer by using a password J3nn!f3r2020. While this looks pretty fine (just a little bit too short), it might still be easy to guess. However, brute force attacks might still be easily applicable by replacing and trying common leet speak characters. Later, with upcoming password managers and auto-generated passwords that fit all common complexity requirements, these issues were mostly solved. At this time, users were able to use long, complex and unique passwords for each service without any need to remembers these ones. Besides this, two factor authentication was a big improvement for the overall security. Today, users might still have to enter an initial password to boot their encrypted device where they are mostly unable to use the password manager located on their device (or have to use another device, mostly the private one). Advanced users might have taken the chance to memorize a unique and strong password for this procedure. Now, let us get back to the initial point. Unfortunately, many companies still have security policies according to password rotation for endusers. Which first sounds like a good idea may fastly result in a less better security. So, why is password rotation a bad idea? Users are not willed to memorize a new, long, secure and random generated password every 90 or 180 days. As a result, they will step back to the previously mentioned bad passwords like D3v!L88, M@tt88! and J3nn!f3r2020 (or other common words, phrases, etc. that are included in dictionaries) which may fit the typical password requirements:
* At least 8 characters in length
* Contain upper and lower alphabetic character
* Have at least one digit
* Have at least one special character
* Some may also write them down on paper and carry them across with their device. As a result, the whole security is broken – security by obscurity
Therefore, the actual recommendations are to avoid password rotation. This was also already mentioned by other companies like Microsoft in 2019, BSI in 2020 and NIST in 2017.
Microsoft 365 Portal says:
"Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers."
General improvements:
Instead, define really helpful improvements to increase the overall security. Do not force users to frequently rotate their passwords and help them to use secure ones. These points may help them to choose a good one:
Allow password pasting:
Allow user to paste their passwords. Nothing annoys more than being forced to type a complex password two times by hand. There is no reason to not allow a user to paste a generated password. Otherwise, the users will stick down to have an easy to guess password.
Enable „Show password while typing“:
Still, not everyone may use a password manager. However, let them show their typings to be aware of their password. It might also help to write a password, especially on remote sessions with different keyboard layouts, where no copy/paste is possible by design.
Run backed password protection:
Validate the hashes of passwords against blacklists that includes dictionary words, sequential strings or hashes of prior security breaches.
Avoid passwords hints:
Some companies and websites provide password hint options. Do not provide these ones! Mostly, these ones are basic information which can be easily obtained by social medias.
Limit login attempts:
Limit the login attempts to avoid brute forces.
Two factor authentication:
The most important one – enforce users to use two or multi factor authentication. While this may lead into further discussions keep in mind, that another level of authentication is better than a missing one. This being said, even SMS is a proper one, even it is not the best one.
Conclusion:
Security can be extended by providing a good user experience instead of being pain. It is mandatory to keep it easy an simple but secure. Always keep in mind – do security, not obscurity!