Password expiry is a ‘blunt instrument’ that rarely delivers, says cyber security expert

Written by Rebecca Hill on 22 December 2016 in News

The use of automatic password expiry as a security mechanism is “outdated and ineffective” that increases organisations’ costs, reduces productivity and makes accounts more vulnerable, according to the National Cyber Security Centre.

The NCSC has called time on forcing people to change their passwords expiry - Photo credit: Flickr, kermitfrosch, CC BY 2.0

Writing on the NCSC’s blog, the people-centred security lead for the sociotechnical security group, who posts as Emma W, said that password expiry is a “blunt instrument that casts a long shadow over organisational security”.

She argued that, although changing a password regularly might seem like a sensible way of ensuring greater levels of security, there was evidence that the negative costs of such policies “vastly outweighs any security benefit”.

Frequent password changes are more likely to encourage people into doing less secure things, such as using weaker passwords, writing them down, re-using them on multiple systems and changing them in tiny ways – for instance by adding an extra number of symbol on the end each time.

Moreover, attackers can – and do – exploit these dodges, meaning that the systems are no more secure for the changes.

Related content

Cyber security centre tells government domain owners to up email security settings
HMRC slashes phishing emails by 300 million this year
Are we entering a 'cognitive era'?

The blogpost also said that it reduces staff productivity, disrupts workflow and increases the number of helpdesk requests, which drives up cost and takes away from the time the helpdesk could be spending on other unavoidable requests.

Her comments echo those made at the Cyber Security Summit earlier this year, where one speaker relayed a constant back-and-forth with the chief executive of a local authority.

The chief executive in question would apparently take his phone to his IT team every month, ask them to change the password and immediately turn the phone over, cross out the previous password written on a post-it note stuck to the back and replace it with the new one.

“Password expiry might initially look like a quick and easy way of helping to manage the risks,” Emma wrote. “However, it rarely delivers the headline benefits it promises, and mostly just creates fresh vulnerabilities instead.”

But despite these clear risks, some organisations “remain firmly wedded to the idea of regularly expiring user passwords”, she said.

“Sometimes we can get a bit too attached to particular tools, and try to use them to solve problems they aren't actually best placed to tackle,” Emma wrote to illustrate that organisations need to think beyond password changes to secure systems.

“To someone with a hammer, everything looks like a nail. And then, when you look closely at the tool itself, it turns out it's pretty old and broken and will shatter at the slightest impact.”

The blogpost said that many organisations use automatic, forced password changes for the wrong reasons, for instance to remind users that passwords do need to be changed sometimes and to mitigate the risk of people sharing passwords.

However, Emma argued that in these cases, IT teams need to look for bigger solutions, which include ensuring that staff are given clear information on the importance of information security measures, making it easier to change passwords and providing better ways of securely sharing information without having to share passwords.

Share this page



Please login to post a comment or register for a free account.


Graham Tracey (not verified)

Submitted on 23 December, 2016 - 08:30
Brilliant news this is a pain we can do without. Constantly being asked to change our password or worse still every so often (it seems like every minute) we are asked to re-input the password just to access some sytem/program you are already using. I work in an office enviroment & I can see the impact this has on productivity, especially when you have a password box that is not just case senditive it seems it is password sensitive. Their is a web browser that keeps asking me if I am a machine or not & asks me to input some letters so it can see me for being human.

John McAfee (not verified)

Submitted on 5 January, 2017 - 16:39
Good luck with changing PCI DDS compliance requirements and the industry of external ICT Security auditors who insist on this!!!

Neil Moore (not verified)

Submitted on 12 January, 2017 - 13:44
Agree - but for the time being password expiry is part of the guidance for PSN (and other government) accreditation.

Related Articles

National Crime Agency to revamp systems for banks to provide intel on organised crime
14 June 2022

Law-enforcement entity seeks partner to help deliver programme to replace ageing platforms

Civil service cuts: DfT brings in £100k consultancy to help identify ‘options for digitisation’
30 June 2022

Two-week ‘headcount efficiency review’ engagement aims to find possible cutbacks that could be achieved through use of technology

Railways: Digital signalling to be introduced from Grantham to London in £1bn rollout
30 June 2022

Government unveils plan to ‘replace Victorian infrastructure’ across routes in counties to the immediate north of the capital

GDS offers £100k for strategy chief
29 June 2022

Cabinet Office tech agency seeks leader to spearhead implementation of three-year plan