One of the ironies of being a small business owner concerned about security is that you have to share your data in order to be effective. For your business to run, you have give some employees have access to sensitive information, which is of course inherently less secure than keeping everything to yourself. This can be scary, and rightly so!
As such, we implement measures to protect ourselves. One of these measures is requiring employees to enter a password before accessing our internal systems. That way, only people we trust can get to our data. But passwords can be tricky—they can be guessed or stolen or discovered some other way. And that can cause real problems.
In fact, 80% of cyber security attacks involve a weak or compromised password. To keep your business protected, it’s crucial to make sure your password policies follow the recommended industry guidelines.
Changes in password guidelines
Historically, we’ve been told that having employees change their passwords on a regular basis was a best practice for password and access management. However, the National Institute of Standards and Technology (NIST) updated its guidelines to recommend not requiring password changes for your employees unless you have reason to suspect a breach.
So why this shift in recommendations? It turns out there are many good reasons to not require password changes.
Encouraging stronger passwords
First, requiring frequent password changes encourages employees to create weaker passwords. They won’t ever have the time to memorize them properly and will often create something simple—like the dreaded ‘qwerty’, ‘12345’, or ‘password’—that they can then make small changes to with each new password change cycle.
Removing this requirement allows users to create stronger passwords that will be with them for the length of their employment. The NIST recommends allowing up to 64 characters with no character requirements to encourage the use of passphrases, which are now recommended as one of the most secure forms of password protection.
Less user impact, greater hacker deterrence
One of the most important things to consider when implementing cybersecurity policies is user impact vs. hacker deterrence. In other words, you don’t want to enforce a policy that’s extremely inconvenient to users unless it significantly prevents cybersecurity attacks. Otherwise, you end up with many annoyed employees and not much benefit.
Unfortunately, it’s been shown that requiring regular password changes does just that—it’s a policy that tends to cause users lots of headaches and annoyance. And with newer hacking technology, simply changing your password is just not that effective anymore.
Hackers can use techniques to guess an extremely large number of different passwords in a very short time, and research from Carleton University has shown that password changes only slightly hamper these attacks. It’s the opinion of these researchers that the user impact of password changes greatly outweighs any cybersecurity benefits you gain.
Bad password storage habits
One of the easiest ways to guess a password is to simply flip over a user’s laptop or look at the sticky notes on their monitors. If users can’t make passwords that they can easily memorize, or have to reset their passwords so often that they don’t have a chance to memorize them, they’ll generally find ways around the policy. Often times the workaround is a huge security risk and means anyone who can see a user’s laptop or workspace can easily steal their password.
Backed by research
A few notable studies have backed up these claims.
The University of North Carolina at Chapel Hill found that knowing a user’s previous password enabled hackers to easily guess the users next password in less than five guesses in 17% of cases, as users tend to change an already weak password in predictable ways, like simply adding a number at the end.
That same study also found that a hacker executing an offline attack could guess 41% of existing passwords within just three seconds using a computer from 2009. And if a hacker figures out a method to successfully crack a user’s password, most of the time, they can then apply that same method to crack any change the user makes to their password.
The study by Carleton University referenced earlier confirmed many of the results found by UNC, and also discovered that if a hacker has gained access to an account, they can install a key logger or other tracking software, making new passwords ineffective. They also conducted a study that found that users who report annoyance with frequent password changes are much less likely to put a lot of thought into creating a strong password.
Should you ever change a password?
In short, yes—but only if doing so makes sense. If you suspect that a user has been compromised, have them change their password to something completely unrelated to their original password (after checking their system for malware, of course). Some organizations that feel they still need to enforce password changes now require them less frequently—every six months to a year, for example.
How Office Protect can help
Office Protect stays up to date on the latest security guidelines and has a special setting to ensure you don’t have to require your employees to change their passwords. This is in line with the new NIST guidelines and is just another way to show that Office Protect will help you stay ahead of the game.
These settings can be accessed anytime from the dashboard. Simply go into the settings there and toggle the ‘Account Passwords Never Expire’ switch to ‘ON’, and you’re all set!
You’ll even be able to easily see the user impact of this setting (none) and the security impact (medium), as well as additional user account protection best practices like enabling multi-factor authentication.
Learn more about how Office Protect keeps your business safe by downloading our free eBook, ‘Safeguarding Microsoft 365: Understanding the value of Office Protect‘.