The use of automatic password expiry as a security mechanism is “outdated and ineffective” that increases organisations’ costs, reduces productivity and makes accounts more vulnerable, according to the National Cyber Security Centre.
Writing on the NCSC’s blog, the people-centred security lead for the sociotechnical security group, who posts as Emma W, said that password expiry is a “blunt instrument that casts a long shadow over organisational security”.
She argued that, although changing a password regularly might seem like a sensible way of ensuring greater levels of security, there was evidence that the negative costs of such policies “vastly outweighs any security benefit”.
Frequent password changes are more likely to encourage people into doing less secure things, such as using weaker passwords, writing them down, re-using them on multiple systems and changing them in tiny ways – for instance by adding an extra number of symbol on the end each time.
Moreover, attackers can – and do – exploit these dodges, meaning that the systems are no more secure for the changes.
The blogpost also said that it reduces staff productivity, disrupts workflow and increases the number of helpdesk requests, which drives up cost and takes away from the time the helpdesk could be spending on other unavoidable requests.
Her comments echo those made at the Cyber Security Summit earlier this year, where one speaker relayed a constant back-and-forth with the chief executive of a local authority.
The chief executive in question would apparently take his phone to his IT team every month, ask them to change the password and immediately turn the phone over, cross out the previous password written on a post-it note stuck to the back and replace it with the new one.
“Password expiry might initially look like a quick and easy way of helping to manage the risks,” Emma wrote. “However, it rarely delivers the headline benefits it promises, and mostly just creates fresh vulnerabilities instead.”
But despite these clear risks, some organisations “remain firmly wedded to the idea of regularly expiring user passwords”, she said.
“Sometimes we can get a bit too attached to particular tools, and try to use them to solve problems they aren’t actually best placed to tackle,” Emma wrote to illustrate that organisations need to think beyond password changes to secure systems.
“To someone with a hammer, everything looks like a nail. And then, when you look closely at the tool itself, it turns out it’s pretty old and broken and will shatter at the slightest impact.”
The blogpost said that many organisations use automatic, forced password changes for the wrong reasons, for instance to remind users that passwords do need to be changed sometimes and to mitigate the risk of people sharing passwords.
However, Emma argued that in these cases, IT teams need to look for bigger solutions, which include ensuring that staff are given clear information on the importance of information security measures, making it easier to change passwords and providing better ways of securely sharing information without having to share passwords.