For years, organizations and security experts followed strict password policies that emphasized complexity, frequent changes, and arbitrary length requirements. However, modern research and updated recommendations from cybersecurity institutions such as the National Institute of Standards and Technology (NIST) suggest that these traditional approaches are often ineffective and even counterproductive. In this blog, we’ll explore how today’s password policies differ from old reasoning and why these changes are necessary.
Rethinking Password Complexity
Do you remember the expiring password and the complexity requirements?
Older password policies focused on the idea that complex passwords—those containing a mix of uppercase and lowercase letters, numbers, and special characters—were the best defense against cyber threats. Additionally, users were often required to change their passwords every 30, 60, or 90 days, under the assumption that this reduced the likelihood of compromise.
However, these policies led to predictable behaviors. Users often created passwords that were difficult to remember, leading them to write them down or use minor variations of old passwords (e.g., “Password1” becoming “Password2”). This predictability made it easier for attackers to guess passwords, ultimately undermining security.
Even the person responsible for developing the NIST guidelines for passwords in 2003 regrets his recommendations. https://www.nbcnews.com/tech/security/forget-everything-you-know-about-passwords-says-man-who-made-n790711
The Modern Approach: Longer and More User-Friendly
Today, cybersecurity experts recommend a different strategy:
- Encourage long passphrases: Instead of enforcing complexity rules, modern guidelines suggest using longer passwords or passphrases, such as “CorrectHorseBatteryStaple,” which are easier to remember yet significantly harder to crack.
- Eliminate frequent password expiration: Unless there is evidence of compromise, forcing users to change passwords periodically is discouraged. Frequent changes often lead to weaker passwords rather than stronger security.
- Use multi-factor authentication (MFA): Rather than relying solely on a password, MFA adds an extra layer of security, making it much harder for attackers to gain access even if they obtain a password.
- Implement breach detection and alerts: Organizations should monitor for compromised credentials and alert users when their passwords have been exposed in data breaches, prompting a change only when necessary.
- Discourage password reuse across multiple accounts: Since data breaches are common, reusing passwords across different platforms increases risk. Keep personal account passwords different from work account passwords.
Why This Shift Matters
The evolution of password policies aims to make security both stronger and more user-friendly. By prioritizing length over complexity, reducing unnecessary changes, and incorporating multi-factor authentication, modern recommendations enhance security while reducing frustration. Organizations and individuals alike should adopt these new practices to stay ahead of cyber threats in an ever-evolving digital landscape.
If you’re still following outdated password policies, it’s time to update them. Encourage passphrases, use MFA, and leverage password managers to create a more secure and user-friendly approach to authentication. Cybersecurity is an ongoing battle, and modern password strategies are one of the best ways to stay protected.
If you would like to learn more from the Data Evolution team on passwords, check out our blog on how to create a strong password, or reach out to us today!