Don’t Make Me Change My Passwords!
2017 NIST changes affect the need to require period periodic password changes…yay!
One of the big changes that they’ve made in 2017 is to remove requirements that everybody change their password frequently, typically every 90 days. This is a huge relief to some, as I imagine everybody hates making that quarterly change. It’s annoying and often makes you forget your passwords.
Why did we change passwords before?
Why did they make you do this? NIST believes that not changing your password is actually more secure. In truth, everybody in the security community knows this and has known it for a long time. In fact, if you look back at the history of this rule, it was made up by some clerk in the NIST security office a long time ago who just thought it might be a good idea. He didn’t really do any research. There really wasn’t any data available at that time. He just thought changing passwords frequently sounded like a good thing.
Why was this bad?
In truth, what happens, as you probably know, is that people end up reusing the same password and making very small tweaks to it every time. If anyone gets a hold of one of these passwords or a couple of them, it’s pretty easy to figure out your pattern. People often end up making shorter, simpler passwords that are easy to remember and they often end up writing these passwords down just on their desks. All of these little measures that people take to make changing their password easier actually that’s a great deal of harm to their password security.
If you don’t have to change your password and you can just have one more complicated password, it’s actually way better. The best practices are to use a strong, long, complicated password that’s different on every website that you visit so that the compromise of one website will not break you into other websites.
Also, you should use a password manager to remember all of these. Use LuxSci’s Password Aides. Use Last Pass. Use whatever you need to make it easy to remember all of these passwords and access them when needed. I hope everybody out there who’s in charge of applications and websites takes these changes to heart and removes all requirements for frequent password changes, and they look at the other recommendations of NIST as well in terms of no longer requiring special characteristics and so forth. Just look at overall password strength.
Have a tech or security question? Ask Erik