Expiring Passwords are an Organizational Frustration - Velox Systems

Expiring Passwords are an Organizational Frustration

An image on a keyboard stating password security with a lock logo

Expiring passwords are an organizational frustration. The time to reset multiple passwords is often tedious, and then one has to remember new passwords. However, not resetting your passwords can lead to cybersecurity nightmares. Read on to learn the rationale behind password expires.

 

Why do we have password expiries?

The 90-day password reset rule was designed to protect against hackers trying to guess passwords through brute-force attacks. Organizations store passwords as scrambled codes called “hashes.” When you enter your password, it’s turned into a hash and checked against the stored one. Hackers try to guess the right password by running possible ones through the same process. Security can be improved by adding random strings, called “salts,” to passwords before hashing, making them harder to crack.

However, advances in technology have reduced the time required to crack passwords, prompting a re-evaluation of this policy.

Why have some organizations got rid of expiries?

An argument against regular password expiry is that users often reuse weak passwords. To remember their countless passwords, the user will often only make a slight change to an existing password such as changing ‘Password1!’ to ‘Password2!’. This practice undermines the security benefits of password changes.

A larger reason that organizations have opted for ‘never expire’ passwords is reducing IT and service desk burden. Gartner estimates that 20-50% of IT help desk calls are related to password resets, with each reset costing around $70 in labor according to Forrester. Therefore, it is enticing for organizations to allow users to create one very strong password and then setting the passwords to ‘never expire’ in order to cut down on IT burden and reset costs.

 

What are the risks with ‘never expire’ passwords?

An image of a lock symbol symbollic of a password

Even strong passwords can be vulnerable to threats like phishing, data breaches, or other cyber-attacks, often without the user knowing. An organization may enforce a strong password policy to prevent brute-force attacks, but if employees reuse those passwords for personal accounts like Facebook or Netflix, the risk of compromise increases significantly.

Another issue with ‘never expire’ passwords is that compromised credentials can be used for a long time. On average, it takes 207 days for a company to detect a breach, so even with password expiration policies, the damage could already be done before the password changes.

 

How to detect compromised passwords

Organizations must adopt a comprehensive password strategy that goes beyond regular expiry. This includes guiding users to create strong passphrases of at least 15 characters. Such a policy can significantly reduce vulnerability to brute-force attacks. Encouraging end users to create longer passwords can also be achieved through length-based aging, where longer, stronger passwords are allowed to be used for extended periods before expiring. This approach eliminates the need for a one-size-fits-all expiry time, provided users adhere to the organization’s password policy.

However, even strong passwords can be compromised and there need to be measures in place to detect this. As once compromised, the cracking time for a password in the bottom right of the above table turns to ‘instantly.’ Organizations need a joined-up strategy to make sure they are covering themselves against both weak and compromised passwords.

 

How to safeguard your organization

A Velox Employee working diligently to help a client become cybersecure.

Expiring passwords are an organizational frustration. However, helping users create strong, 15-character passphrases to lower the risk of brute-force attacks. A “length-based aging” approach lets longer, stronger passwords last longer before expiring, avoiding a one-size-fits-all rule. However, even with strong passwords, they can still be compromised. That’s why it’s crucial to have systems in place to detect breaches quickly. A comprehensive strategy protects against both weak and compromised passwords. At Velox Systems, we offer strategies and tools like password managers to help protect your organization from password attacks and other security threats. Ready to strengthen your defenses? Let’s chat!