We’ve been telling you for years to do stupid things with your passwords, always with good intentions. Set a password expiration policy. Require a mixture of characters from various alphanumeric groupings. Make your passwords so complex that you can’t remember them and your fingers stumble over each other while you type.
We were sorta wrong.
And for years, non-IT people have been giving us the stink eye -- and they were kinda right.
The other day I posted on Linkedin the same old information. I said, “Use strong passwords, and make sure you set an expiration policy.” One thing right about it was that passwords need to be strong. Weak = bad. Strong = good. My Uncle, who works in cyber-security as well, was quick to point out that the old password expiration policy is an outmoded method. This is still rampant in businesses ranging from minuscule to colossal. But we’ve known for THREE YEARS that this method doesn’t increase password vitality.
There are good reasons to have a password expiration policy, but forcing people to change their passwords regularly isn’t one of them. One example of a good reason to have a password expiration policy is to prune inactive accounts. Password expiration policies provide peace of mind and reduced attack surface to companies with various account auditing procedures -- or no procedure at all. Most companies have some kind of procedure in place for offboarding human resources or user accounts. These procedures typically involve disabling accounts, archiving stuff, and forwarding email and phone numbers. Having an automatic password expiration policy in place could provide a bit of security in these cases, but there are better methods for making sure your accounts are still under the management of a live human being. For example: If your software permits, you could set a policy to deactivate user accounts that haven’t logged in for X number of days. If the account is for a web service, you could email the user a link to confirm they still exist every X number of days. There are always exceptions of course. Some services are used very infrequently. Pruning functions need to match the use case.
But again, here’s what password expiration and complexity policies don’t do: THEY DON’T MAKE YOUR PASSWORDS STRONGER. We are in this loop of continuously changing our passwords as if there is some clock ticking and it’s just a matter of time before the password is cracked! It’s just not how password cracking works. Forcing password changes without a real reason leads to bad behavior, like:
- Writing your password on a post-it note and sticking it to the bottom of your right-side display, usually near the power button. (you are so busted)
Yes, complexity requirements also lead to the aforementioned bad behavior. And this behavior MAKES YOUR PASSWORD WEAKER. Weak = bad.
What then makes a strong password? NIST has the answer. Here’s the official document:, section 5 Authenticator and Verifier Requirements. The National Institute of Standards and Technology (NIST) has been providing guidelines and standards for American industries since 1901. Here’s one relevant part of the document:
“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets.
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
Now that you know you can keep your password, make it a good one! Here are three things you ABSOLUTELY SHOULD DO with your passwords:
- Think of a password you can remember. It’s ok to use spaces and real words, really it is.
- Make sure it is sufficiently long. 8 is the minimum. 12 is great!
- Make sure your password is not included in the roughly half-billion passwords which have already been leaked in various data breaches. Check your password here to SEE IF YOU HAVE BEEN PWNED! If it has been, don’t use it anymore. It is likely that the particular password is also associated with your email address or username also exposed in a breach.
Contact Amoeba Networks. Let’s review your password policy!