The Risks of Implementing ‘Never Expire’ Password Policies

Understanding Password Expiry Policies and Their Implications for Organizations

Password resets can create significant challenges for both end users and IT teams. The recurring ‘time to change your password’ prompts are often met with frustration, especially when newly created passwords are subsequently rejected due to organizational policies. For IT departments, handling password resets through service desk tickets and support calls is a continual drain on resources. Nonetheless, the notion that all passwords should expire after a designated period remains entrenched in cybersecurity practices.

The rationale behind password expiries primarily stems from efforts to defend against brute-force attacks. In many organizations, passwords are stored as hashed values, meaning they are converted into scrambled representations using cryptographic hash functions. To access user accounts, an attacker must guess the correct password and match it against the stored hash, a task made more difficult through methods like salting. Brute-force attack feasibility hinges on two main factors: the attacker’s available computational power and the strength of the password itself. Historically, a 90-day password reset cycle was viewed as a reasonable compromise between mitigating risk and minimizing user disruption. Yet, advancements in technology have reduced the time needed to crack passwords, prompting renewed scrutiny of this policy. Nonetheless, the 90-day reset is still widely recommended in various compliance frameworks, including PCI.

Conversely, some organizations have abandoned the practice of mandatory password expirations. A significant argument against this approach is the tendency for users to recycle weak passwords. Often, users will modify existing passwords minimally—changing "Password1!" to "Password2!"—thereby undermining security measures. The core issue, however, is not merely the act of resetting passwords but the inadequate policies that permit weak passwords to begin with.

Another consideration for organizations favoring ‘never expire’ passwords is the potential for alleviating the burdens on IT and service desks. According to estimates from Gartner, password reset requests account for 20% to 50% of IT help desk calls, with the average reset costing around $70 in labor per incident, as reported by Forrester. This pressure mounts particularly when users frequently forget their new passwords after resets.

While employing a strong, never-changing password might create a veneer of security, the reality is that even robust passwords are vulnerable to compromise. Risks abound through phishing attacks, data breaches, or other cyber threats that may go undetected until too late. A study from Specops revealed that 83% of passwords involved in breaches conformed to regulatory requirements for length and complexity. Even if an organization enforces a strong password policy, if employees reuse their passwords across multiple personal sites—like Facebook and Netflix—the risk of exposure increases significantly.

The threat of compromised credentials lingers, especially in scenarios where an organization typically takes around 207 days to identify a security breach, according to findings from the Ponemon Institute. While establishing expiration policies might serve to curtail attacks, there is a substantial risk that attackers would attain their objectives well before these passwords expire. Consequently, guidelines from NIST and other cybersecurity authorities urge organizations to avoid ‘never expire’ policies unless mechanisms are in place to monitor for compromised accounts.

To enhance security, organizations should implement a comprehensive password strategy that extends beyond traditional expiry protocols. This could involve encouraging users to create strong passphrases—with a recommended minimum length of 15 characters—thus effectively mitigating risks associated with brute-force attacks. A flexible aging policy that allows stronger passwords to remain valid longer can be beneficial, catering to individual user compliance while providing greater overall security.

Aside from proactive password policies, it is critical to incorporate measures for detecting compromised credentials. Once a password has been violated, its ability to withstand attacks rapidly diminishes. Organizations must establish a cohesive strategy that addresses both weak and compromised passwords to ensure robust security.

For those seeking a systematic solution to manage these challenges, integrating tools within a simplified Active Directory interface can streamline password management efforts. Specops Password Policy, for example, includes features like Breached Password Protection, continuously checking against over 4 billion identifiable compromised passwords. Exploring such solutions could fortify an organization’s cybersecurity posture.

Source link