Password aging: Should you change passwords often?
When it comes to password aging, a single rule does not exist. There are many debates on changing passwords – whether or not to do it.
Some companies force their employees to periodically change their credentials. Others do not have any existing policy that defines password longevity.
So, how should you behave?
What is password aging?
Password aging (or password longevity) is a policy that requires users to change their credentials.
Each website, application, or organization sets a specified time interval (a password lifespan), for instance, 30 days or 6 months. After time passes, the system forces a person to create a new password.
This policy is widely implemented in various organizations – from private companies to educational or financial organizations.
Why should we change our passwords regularly?
Regular password change is highly encouraged in many situations. For instance, if your account was breached, you logged into a suspicious website, or when you used an insecure network. Also, if you noticed somebody tried to log in to your account.
In these situations, a regular and ideally instant password change can block unauthorized access and protect your account from data leaks.
Additionally, updating credentials often can minimize the effects of such cyber threats as keyloggers or credential stuffing attacks.
How can password longevity-related policies weaken data security?
Password aging might not be the most effective credential-related policy.
Changing passwords immediately after any security threat is a good practice. However, regularly resetting passwords without any cause has its drawbacks.
Enforcement to create new passwords often makes every third person feel stressed and frustrated. Therefore, they fall into one of the few traps:
- they write passwords down on sticky notes (that colleagues easily find, or they lose them);
- create weaker, easy-to-remember passwords;
- they modify the password slightly (f.e., change one number);
- they reuse an old password.
In these cases, the effectiveness of password aging raises some serious doubts. What are they?
Debate on password aging: should you change passwords very frequently?
Password longevity raises critical questions – is it the most effective method to boost data security? But what if people, forced to change their passwords, update them into shorter, weaker, and easier to hack?
Then, what is the point? Does such a thing as password lifetime exist?
Some cybersecurity specialists support, and some reject the password-aging idea. And we think they might all be right.
Blindly enforcing password aging policy inside an organization just because will not be a sustainable, security-oriented strategy. Employees will always look for shortcuts to minimize password frustration.
How to enforce an effective password longevity policy?
There is one rule all cybersecurity specialists agree upon. Get used to updating passwords immediately after any security threat, accidental data disclosure, or other vulnerabilities.
Also, to benefit from a password aging policy, educate your employees. Without a basic understanding of cybersecurity, people will fall into the previously mentioned traps and weaken their data security. Allow them to understand the risks of insecure data management. Encourage them to update old credentials safely.
Then, you should also provide the tools to achieve that. Forbidding using sticky notes or Excel sheets for password storage will not change bad habits. People will find other (dangerous) methods to manage passwords effortlessly.
Provide your employees with a secure and reliable tool that eliminates the need to follow previous behavior. Provide your employees with a password manager like PassCamp.
An encrypted password management tool allows storing complex credentials without manually typing or remembering them. PassCamp fills login fields automatically.
Check out PassCamp today and notice an increasing level of password security inside your organization.