According to the Center for Internet Security, users should be required to change their passwords every 60 days. Various security technical implementation guides from the U.S. The Defense Information Systems Agency says that users should be required to change their passwords every 60 days.
Why does this guidance exist? By changing a password every few months you will prevent someone who has already stolen a password from having constant access to the account. They will be forced to discover your new password after it has been changed. Another reason is that a hacker could potentially crack the hash of a weak password within a short period of time (perhaps a few months or less). By requiring password resets any passwords that were successfully cracked by a hacker become outdated.
New Guidance From the U.S. National Institute of Standards and Technology (NIST)
Passwords should be at least 8 characters long but users are encouraged to use much longer passwords.
Users should not be required to reset their passwords rather users should concentrate on using a long good quality password that is easy to remember but difficult to guess.
Passwords should not be too complicated otherwise users will not be able remember them. As a result using mixed cases, characters, and numbers isn’t paramount as users are often tempted to write them down.
With multi-factor authentication password resets are less important.
Password resets still play a role. You can mandate password resets when you detect suspicious activity on an account instead of every few months.
Which Method is Better?
The logic behind both password approaches is sound and neither method is wrong. The conventional method where users need to change their passwords every two months can create more work for your IT helpdesk because they will have to assist users with their passwords more often as users are more likely to forget their new passwords or to let their passwords expire. By not requiring password resets you can reduce the workload on your IT helpdesk. Overall the new method from NIST when coupled with multi-factor authentication makes managing passwords easier for both IT staff and end users. You can also go with a hybrid approach, perhaps requiring users to reset their passwords every six months or annually. It is really up to what works best for your company culture and your compliance requirements.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.