Best practice no longer requires frequent password changes

You never have to change your passwords again!*


Let’s get right to the fine print. Of course you have to change your password if something happens that makes it necessary!

  •  Change your password right away if a password is stolen (AKA an account is hacked) or you get a notice of suspicious activity in one of your accounts.

  •  For your security, change passwords right now that aren’t very good passwords to start with, or that you’ve used in multiple places, or that you’ve used for so long that they may have been exposed in the many big hacks over the last few years.

You still have to use complex passwords that are different for each service. Click here for password tips.

Doesn’t it help to change passwords regularly?

For years the standard wisdom was that we would be safer if we were forced to change our passwords every few weeks or months. It was standard policy for security at large companies. Frequent password changes were required by default for Office 365.

In the last decade, technology has advanced and our habits have been studied in great depth. The unmistakable conclusion: password expiration policies are pointless. If a password is never stolen, there’s no need to change it. As Microsoft put it recently, forced password changes are “an ancient and obsolete mitigation of very low value.”

There are two reasons that password expiration does not keep you safe.

  •  Better technology for cracking passwords

Ten years ago, it took ninety days for the average computer to crack the average password, so changing your password every ninety days helped keep out the bad guys.  Today an average password can be cracked by automated tools in seconds.  The greatest risk to your password is that you will give it away in response to a phishing message, or by sharing it or re-using it. If your password is compromised it will happen in seconds, not months. 

  •  The illusion of security

Numerous real-world studies have confirmed that most people make very minor changes to create a new password, which barely slows down the bad guys. If you are required to change your password and you do that by changing a “1” to a “2” at the end, you haven’t improved your security at all. In 2016 former FTC chief technologist Lorrie Cranor wrote: “Researchers also point out that an attacker who already knows a user’s password is unlikely to be thwarted by a password change. Once an attacker knows a password, they are often able to guess the user’s next password fairly easily.”

Or, as Microsoft put it: “If your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.”

Microsoft recommends non-expiring passwords

Office 365 password expiration policy recommendation

When Office 365 was first rolled out ten years ago (under its original name, “Business Productivity Online Suite”), all users were required to change their passwords every 90 days. The policy was inflexible and administrators could not turn it off.

A couple of years ago, the above message began appearing in the admin portal: “We recommend that you set passwords to never expire to avoid possible disruption.”

Today, the default for new Office 365 customers is for passwords never to expire. Microsoft strongly advises Office 365 admins to leave it that way.

Office 365 password expiration policy tip

“By default, passwords are set to never expire. Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers.”

The latest statement from Microsoft comes in a draft of security baseline settings for the next versions of Windows 10 and Windows Server. Microsoft’s baseline security configurations are tremendously influential in large enterprises and they ripple through the entire tech industry.

You might not have to change your passwords as often, but take this as an opportunity to review your current passwords. Two of the most important tips:

If your password is a dictionary word that you’ve cleverly disguised by starting it with an upper case letter and ending it with an exclamation point, change your password. The tools used by the bad guys to crack passwords start with the entire dictionary and now easily also test simple variations on dictionary words.

If you’ve obscured a dictionary word by substituting lookalike numbers for letters – “Pa55w0rd,” “Thr33” – change your password. The bad guys have built that into their hacking algorithms.

Be careful out there!

Share This