How Often Should I Change my Passwords

In the new NIST guidelines (US National Institute of Standards and Technology), there are now some rather surprising reversals of guidance on several areas of password management. According to this article from Sophos' Naked Security blog, automatic or periodic password aging is no longer recommended by the new guidelines; rather, the article says:

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords:

8.2.4 Change user passwords/passphrases at least once every 90 days.

This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security.


NIST Special Publication 800-63b: Digital Authentication Guidelines

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

NCSC official guidance:

The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation.

The problem is not with keeping passwords for a long time, but rather the weaknesses introduced when creating new ones. So, if you are using a randomised method of password generation, you could gain benefit from refreshing passwords periodically.

But there are no official guidelines on how often that should be when you create maximally complex passwords because the risks are just too low. When you add in 2FA, then the risks are lower still.

The guidelines you need then are based on the risks that you identify. If you feel that the service you are authenticating to stores passwords in plaintext, is hacked often, and stores data that is critical to you, then you might want to change your passwords quite often, no matter what the official guidance says.

Tags:

Passwords

Password Policy

Password Management

Related

How do hosting providers prevent the compromise of one website from causing the compromise of another one? Could one create a vulnerable website on purpose to attack a server of a hosting provider? Bank asked for a cross login? Is it secure to use MD5 to verify the integrity of small files (less than 15kb)? Can an identity provider impersonate me? (Can Facebook post Stack Overflow questions under my name?) Any reason NOT to set all cookies to use httponly and secure Why do some GDPR emails require me to opt-out and some to opt-in? Do security questions make sense? Why don't websites provide a checksum of their downloadable files? Is "always use /dev/urandom" still good advice in an age of containers and isolation? Is window.history.back() safe to use? Is gender considered PII (Personally Identifiable Information) under the GDPR?

Recent Posts