Everyone hates changing their passwords.
You have to remember your new password. You have to update the sticky note underneath your keyboard (stop writing it down!). You have to enter your password into multiple devices. You might lose access to systems because the password change didn't take effect properly. If you forget your password after you changed it, then you might lock yourself out typing it incorrectly, causing a whole new set of problems.
Password change policies are tedious and unnecessary. Every business should have a password policy. There's great value to enforcing things like password complexity or minimum password length. It's important to define a policy that helps set a solid standard for password security in your business.
However, if you company password policy forces regular password changes, it is likely doing more harm than good.
Think we're crazy?
Microsoft doesn't think so. They've been saying this since 2016. Neither does the National Institute of Standards and Technology (NIST). SANS Security Awareness thinks password expiration should go away as well!
Does this mean you should call your IT department right now and tell them to remove this "old-school" security process? Maybe, but more than likely, not yet.
This should be a conversation that leads to replacing older security mindsets and policies with modern ones designed to mitigate real risks. Consider removing your password expiration policy while in parallel implementing Multi-Factor Authentication (MFA) and improved identity protection technologies that can detect risks and reduce the need to share passwords.
Also, consider security awareness training for your staff, they are at the forefront of any identity threat. An educated workforce is the best defense against the new deceptive tactics used by malicious entities!
Interested in having a conversation about technology in your business?