The concept of changing passwords often is not a new one. For decades, cybersecurity experts espoused the policy of changing passwords every two to three months. The primary reason to give credentials—not just passwords but any authentication credentials—an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else.
Misled cause for concern
The cause for concern arose from the mistaken belief that an attacker would lie passively, eavesdropping silently. The traditional theory believes that if passwords are frequently changed, such a passive attacker would be thwarted from having greater access.
This does not hold true for many reasons, including the simple fact that an attacker is not going to remain dormant. For example, a hacker with access to your banking credentials is not going to wait around; they will immediately transfer money out of your bank account and this will be noticeable. In such a situation, it does not make sense to change your credentials regularly, but it is of prime importance to change them as soon as possible after being made aware of the loss occurring.
Another drawback of frequently changing passwords is that it makes them harder to remember. Moreover, if regular password changes are enforced, people are more likely to choose passwords that are easier to remember and guess, than they would if they could use the same passwords for a longer duration. This also encourages people to use techniques such as writing passwords on sticky notes or in journals, leading to a greater risk of those passwords being lost or compromised.
The way forward
According to NIST and NCSC guidelines, the best password reset duration is not to have one at all, but instead focus on changing passwords immediately after a breach and to use multifactor authentication (MFA) and password management services where available. These guidelines are based on sensible practices—you would not change the locks to your house every three months but you would when your house has been broken into.
There are certain situations where password reset durations are necessary for compliance with certain standards, such as ISO 27001 and NIST 800-53. In other cases, it would be useful to use password managers. With password managers you can generate passwords that are not easy to guess, can be saved, and can enforce a specific duration through password expiry.
Another good feature offered by password managers would be MFA, which works by using fundamentally different methods to prove your identity, usually with three classic factors: something you know (knowledge), something you have (possession), and something you are (inherence). Well-built MFAs use two or more of these unique factors such as a password (knowledge) plus a fingerprint (inherence), or a password (knowledge) plus a one-time password on a mobile app to prove possession of the phone.
Having multiple factors makes it tougher for attackers because a successful attack requires multiple venues of attack. This makes accounts safer where possible. Active monitoring of passwords that have been compromised in data breaches is another important feature. It makes sure that you are aware if any of your passwords are compromised in a data breach by any service you use.
Zoho Vault offers features intended to protect users. The built-in password generator allows you to generate passwords of any required complexity and automatically save them. Zoho Vault also has the option to set expiration alerts for those users who need to reset passwords periodically. Another feature offered is two-factor authentication in the form of temporary OTPs (TOTP) for passwords. Vault also has the opt-in feature for breached password detection; Vault keeps a lookout for any of your passwords that may have been compromised in password breaches.
Whenever you have a breached password in your account, Vault will alert you to change or update that password. This alert banner will be visible until you reset the credentials. Additionally, through the dashboard, Vault lets you identify and remove weak and reused passwords from your account with customized security insights displayed on the dashboard.
If you are interested in learning more about how you or your organization can benefit from using a password manager, get in touch with our Zoho Vault experts for more product information and a demo.