Why Enforcing Regular Password Expiration is a Bad Practice

Until recently, many “traditional” security best practices suggested that enforcing regular password expiration for computer user accounts, was a good security practice and that it contributed to more secure computer system environments.

Based on these practices, many organizations, after a fixed number of days, prompt their computer users to change their passwords.


Regular Password Expiration is an Old Practice

However, recent studies suggest that the enforcing regular password expiration, apart from causing frustration to the users, it is also a bad practice and has a negative impact to the overall security of systems. The main argument is that the enforcement of regular password change via expiration, increases the risk of having users that use passwords similar to the old ones, in order to remember them. This creates a weakness which could be potentially exploited by attackers.


Modern Security Best Practices

To this end, more modern approaches should be followed that take into consideration the new realities. One such reality is that, nowadays, the majority of people need to remember a large number of passwords and not just one. People need to remember passwords that have to do not only with the workplace, but also with many other things like: social media, online services, etc.

Why Enforcing Regular Password Expiration is a Bad Practice - Article on essentialDevTips.com

So, for example, instead of blindly enforcing password expiration, a new more user-friendly policy could monitor systems for failed login attempts, and based on a given logic, to prompt the affected user for changing her password. Also, systems could display for each end-user her last login date and time in order to review it and if there is a suspicion for unauthorized access, the user to contact the System Administrator for assistance.

Another good practice is to use account lockout in all systems. For example, when a user tries to login “x” times during an “y” period of time, the user account to be automatically locked for a “z” period of time along with informing the System Administrator.

The above, are only a few examples of suggested modern security best practices. The main concept, is to realize that along with technological evolution, user habits change as well thus forming new realities. These new realities must be taken into consideration when writing new security best practices documents, in order for these practices to have a real chance to be fully adopted by users.

In the opposite case, it is highly likely that users will find ways to make their life easier, independently of any best practices, thus causing weaknesses in the affected systems.


Featured Online Courses:


Read Also:


Reference: {essentialDevTips.com} (https://www.essentialdevtips.com/)

© essentialDevTips.com

Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)