One of the ironies of being a small business owner concerned about security is that you have to share your data in order to be effective. For your business to run, you have to let your employees have access to your innermost business secrets, which is of course inherently less secure than keeping everything to yourself. This can be very scary, and rightly so. Because of this, we implement measures to protect ourselves. One of these measures is requiring employees to enter a password before accessing our internal systems. That way, only people we trust can get to our data. But passwords can be tricky—they can be guessed or discovered otherwise. And that can cause real problems.
In fact, 80% of cyber security attacks involve a weak or compromised password, so it’s very important to make sure that your password policies follow the recommended industry guidelines.
Changes in Password Guidelines
One of those recommended guidelines is to not require password changes, something that’s contrary to what we’ve all experienced over the past few years.
The National Institute of Standards and Technology (NIST) has altered its new guidelines and now recommends not requiring password changes for your employees unless you have reason to suspect a breach.
So why this shift in recommendations? It turns out there are many good reasons to not require password changes.
Encouraging Stronger Passwords
First, requiring frequent password changes encourages employees to create weaker passwords. They won’t ever have the time to memorize them properly and will often create something simple—like the dreaded qwerty, 12345, and password—that they can then make small changes to with each new password change cycle.
Removing this requirement allows users to create stronger passwords that will be with them for the length of their employment. The NIST recommends allowing up to 64 characters with no character requirements to encourage the use of passphrases, which are now recommended as one of the most secure forms of password protection.
Less User Impact, Greater Hacker Deterrence
One of the most important things to consider when implementing cyber security policies is user impact vs. hacker deterrence—in other words, you don’t want to enforce a policy that’s extremely inconvenient to users unless it significantly prevents cyber security attacks. Otherwise, you end up with many annoyed employees and not much benefit.
Unfortunately, it’s been shown that requiring regular password changes does just that—it’s a policy that tends to cause users lots of headaches and annoyance. And with newer hacking technology, simply changing your password is just not that effective anymore.
Hackers can use techniques to guess an extremely large number of different passwords in a very short time, and research from Carleton University has shown that password changes only slightly hamper these attacks. It’s the opinion of these researchers that the user impact of password changes greatly outweighs any cyber security benefits you will gain.
Bad Password Storage Habits
One of the easiest ways to guess a password is to simply flip over a user’s laptop or look at the sticky notes on their monitors. If users cannot make passwords that they can easily memorize, or have to make passwords so often that they do not have a chance to memorize them, then they’ll generally find ways around that. Many times, the workaround is a huge security risk and means anyone who can see a user’s laptop or workspace can easily steal their password.
Backed by Research
A few notable studies have backed up these claims.
The University of North Carolina at Chapel Hill found that knowing a user’s previous password enabled hackers to easily guess the users next password in less than 5 guesses in 17% of cases, as users tend to change an already weak password in predictable ways, like simply adding a number at the end.
That same study also found that a hacker executing an offline attack could guess 41% of existing passwords within just 3 seconds using a computer from 2009. And if a hacker figures out a method to successfully crack a user’s password, most of the time, they can then apply that same method to crack any change the user makes to their password.
The study by Carleton University referenced earlier confirmed many of the results found by UNC, and also discovered that if a hacker has gained access to an account, they can install a key logger or other tracking software, making new passwords ineffective. They also conducted a study that found that users who report annoyance with frequent password changes are much less likely to put a lot of thought into creating a strong password.
Should You Ever Change a Password?
In short, yes—but only if doing so makes sense. If you suspect that a user has been compromised, have them change their password to something completely unrelated to their original password (after checking their system for malware, of course). Some organizations that feel they still need to enforce password changes now require them less frequently, like every 6 or 12 months.
How Office Protect Can Help
Office Protect stays up to date on the latest security guidelines and has a special setting to ensure that you do not have to require your employees to change their passwords. This is in line with the new NIST guidelines and is just another way to show that Office Protect will help you stay ahead of the game.
These settings can be accessed anytime from your dashboard—simply go into the settings there and toggle the “Account Passwords Never Expire” switch to “ON,” and you’ll be all set!
You’ll even be able to easily see the user impact of this setting (none) and the security impact (medium), as well as additional user account protection best practices like enabling multi-factor authentication.