Thoughts on scheduled password changes (don’t call them rotations!)

We’re all still using passwords on many, perhaps most, of our accounts, because we’re all still using plenty of online services that don’t offer any other sort of login system.

Just today, for instance, I paid membership fees to a cycling-related group that asked for my postal address so it could send me my membership card, which I thought was a delightfully simple and old-school way of letting me retrieve my membership number in future while out on the road.

In the sort of cold and soggy weather you get for much of the year in England, digging out a mobile phone, waiting for a signal, taking off your gloves (they’re not much fun to put back on when you’re winter-waterlogged), and fiddling around with apps, websites, passwords, 2FA codes and more…

…well, it’s just not as easy as finding a waterproof, crash-proof, no-batteries-required, plastic card with your basic details on it.

But along with my payment confirmation, informing me that my membership card was on its way, was a reminder that if ever I wanted to renew my membership, or to request a replacement waterproof, crash-proof, no-batteries-required, plastic card (sadly, they aren’t loss-proof), I’d need to create an account on the group website, so why not choose a password right now?

Simply put, to avoid the need for a password in the first place, I’d need to create one in the second place.

And whenever passwords come up, a long-running question comes up too:

Should you change all your passwords all the time to make them fast-moving targets for cybercriminals, or lock in really complex ones to start with, and then leave well alone?

Indeed, that was the issue facing a long-term Naked Security reader this very morning, whose own IT team were on the horns of this very dilemma, possibly because of a cyberinsecurity near-miss that they’d just experienced first hand.

Which is better?

Complex passwords or passphrases that may not get changed often, or poorly-chosen passwords that are changed regularly?

Thoughts and cogitations

Our thoughts on the matter are as follows:

  • Changing passwords regularly isn’t an alternative to choosing and using strong ones. If you want to change your password every month, that’s your choice, but it’s not an excuse for starting with your cat’s name and using minor variants of it every few weeks.
  • Forcing people to change their passwords routinely may lull them into bad habits. Many users simply adopt a predictable mechanism, such as adding -01, -02, -03 and so on to satisfy the letter (but not the spirit) of your password replacement rules. Attackers can figure out that sort of behaviour.
  • Scheduling password changes may delay emergency responses. If you always change your password every few weeks, there’s less incentive to change it right away if you think you might have been phished. After all, you’ll be changing it “soon” anyway.

Regularly changing your password doesn’t magically make it a better password.

Only choosing a better password in the first place makes it a better password! (This is where password managers can help.)

In other words, we suggest that you first address the problem of helping your users to choose decent passwords, then encourage them to recognise cases where they should change their passwords right away, without needing a timetable to tell them to do so…

…and only then should you worry about whether you really need a “regular changes regardless” password policy as well.

The risks of rote behaviour

Demanding password changes every month when you simply don’t need to is just inviting people to save their new passwords insecurely, or to choose new passwords sloppily, or to rotate through a repeating sequence of N related passwords, or of only ever updating their passwords every 30 days, even in emergencies.

Having said that, locking out users who haven’t accessed specific company accounts for a certain time is a good idea. (This also guards modestly against forgotten accounts, because they eventually expire automatically.)

Locking users out for inactivity is more intrusive than simply forcing them to reset their passwords regularly, and therefore unpopular.

But if someone has a company account login that they aren’t using, why not push them to justify in person why they still need it after they haven’t used it for, say, six months or a year?

After all, if it’s a login for a product or service that charges a per-user fee… you may even be able to save the cost of their subscription.

And if they genuinely don’t need the account any more, you’re helping them to stay out of trouble by preventing rogues and cybercrooks from doing bad things in their name.


go top