Password Expiry is a Terrible Policy

Posted on January 29, 2019 in Information Security

A pet peeve, and an opinion, triggered by a recent experience:

Regularly occuring enforced password expiry is a terrible policy, whether it is every 60 days, or every 12 months. As a policy, it encourages users to choose the minimally secure password. Given a set of password complexity requirements (length and content) the user will almost certainly choose a password which only just meets those requirements, knowing they will need to change their password again in the near future. Why bother creating and memorizing a good, secure password, if you need to change it in 90 days?

There is a Better Way

First, and most important: implement some manner of multi-factor authentication (MFA), even if it is just SMS based MFA. It’s much better than nothing! MFA also obviates the need to auto-expire passwords since it protects against a compromised password.

MFA notwithstanding, a better solution is to encourage password complexity, and to implement proper password content and quality settings. Require your users to use OWASP compliant passwords (10 character passwords are no more difficult to remember than 8 character passwords), encourage them to go beyond OWASP requirements (e.g., 12 characters passwords) and to use a password manager, and then ditch password expiry.