Debunking password myths: Why businesses should stop regular password resets (Part 1 of 3)

img blog Security Compliance 08

Passwords have long been a staple of data security, but their complexity requirements have burdened users over time. This has led to poor security habits, leaving data exposed to threats. Mandatory password changes, once thought essential, have also gradually proven ineffective. Microsoft has even removed password expiration policies from its recommended security baseline settings.

In this blog, we’ll discuss why it’s time for businesses to rethink password resets and how to adopt more effective security measures for the long term.

Read also: 3 Types of security controls: Technical controls (Part 3 of 3)

Reasons for regular password resets

Traditionally, regular password resets have been used against cyberattacks that exploit compromised credentials from prior data breaches. Since stolen passwords frequently end up on the dark web, cybercriminals will use these in a tactic known as credential stuffing. 

Credential stuffing involves using the same password on other accounts belonging to the same user, exploiting the common tendency for people to reuse passwords across multiple platforms. Frequently changing credentials can thus mitigate this risk by rendering any old codes useless, creating a moving target for potential attackers.

Additionally, scheduled password changes have created a safeguard against ex-employees accessing their former company’s data. Recent findings reveal that half of employees admit to taking corporate data with them, with 40% even planning to use it in new positions or other organizations. Password resets can therefore serve as a practical means of revoking access, helping a business protect its sensitive information from internal threats.

Why it’s time to rethink mandatory password resets

While historically shown to have its benefits, regular password resets have increasingly become a counterproductive practice. Firstly, employees today are burdened with an overwhelming number of passwords, averaging around 70 to 80 per person. Constantly changing these passwords only exacerbates the challenge of memorizing them. Ironically, this well-intentioned practice often results in poor security habits, such as password reuse across multiple applications or storing passwords in spreadsheets, in cloud-synced apps, or on physical notes.

Enforced password changes can additionally lead to more frequently forgotten passwords, causing employee downtime and productivity losses. Employees may also resort to minor, incremental changes when updating their credentials, such as adding extra numbers or special characters to an already existing code. Unfortunately, these predictable patterns are well-known to cybercriminals, who typically use sophisticated or brute force attacks to crack passwords.

Finally, mandatory password resets could be a challenging policy to implement. As passwords are already a significant source of frustration for most workers, adding more stringent requirements may only compound the burden. IT departments may also be able to enforce password changes on in-house applications but struggle to oversee this process with third-party cloud apps. It’s clear that this conventional practice has run its course, and could do more harm than good in the current digital era.

How can businesses improve security without regular password changes?

Fortunately, there are ways to enhance your business’s cybersecurity without the outdated practice of enforced password resets.

The National Institute of Standards and Technology recommends implementing a password blacklist, which is a list of passwords that are known to be commonly used or compromised. They suggest including the following:

  • Dictionary words
  • Repetitive characters (e.g., 1111)
  • Sequential characters (e.g., 1234 or abcd)
  • Context-specific words (e.g., username)
  • Passwords from previous breaches 

By using a password blacklist, organizations can proactively block weak and vulnerable passwords, along with their variants. When a user tries to create a password, it is checked against the blacklist. If the password is on the list, it is rejected.

Another valuable measure is adopting single sign-on (SSO) systems. SSO simplifies the credential management process by replacing passwords with secure tokens or generating and automatically entering strong credentials on behalf of users. With SSO in place, employees authenticate themselves through the corporate directory, and this seamlessly extends to all applications, eliminating the need for users to remember and manage multiple credentials. Additionally, SSO can help IT departments detect and enforce password security policies across all relevant applications, further securing corporate data.

However, it’s important to note that periodic password changes aren’t entirely obsolete — though they should be driven by specific security concerns, not mandated on a routine basis. For instance, if there’s a suspected breach or you simply have a weak password, changing your credentials remains a useful security measure, provided you choose a new, unrelated passcode each time and avoid reusing them across different accounts.Ready to enhance your cybersecurity strategy? Reach out to our experts at SpectrumWise today for the latest security measures tailored to your needs — all without the hassle of routine password resets.


Contact Us

"*" indicates required fields

This field is for validation purposes and should be left unchanged.