Why 'Never Expire' Passwords Can Be a Risky Decision

  • By DragonX Team

  • Updated at Sep 23, 2024

  • Fact Checked By Ashok Kumhar

  • Reviewed By Pradip Yadav

Tags
cyber security

Password resets are a hassle. Users dislike the frequent interruptions asking them to change their passwords, and the frustration mounts when the new passwords are rejected by company policies. IT teams aren't spared either, often dealing with a flood of service desk tickets related to password resets. Despite these challenges, password expiry is still a widely accepted practice across most organizations.

But is it necessary? Let's delve into why password expiries exist and whether setting passwords to "never expire" might save headaches but ultimately compromise cybersecurity.

Why Do We Have Password Expiries?

The practice of resetting passwords every 90 days was originally designed to protect against brute-force attacks. Organizations don't store passwords in plain text; they store them as cryptographic hashes. When a user logs in, their password is hashed and compared to the stored hash. Attackers trying to crack these passwords run various possibilities through the same hashing algorithm, comparing the results.

To make this more challenging, organizations often "salt" passwords by adding random strings before hashing. The 90-day expiry period was a way to minimize the chances of a password being cracked within the time it would take for an attacker to succeed.

Although technology has advanced, making password cracking faster, many compliance standards (like PCI DSS) still recommend the 90-day reset rule. But as we’ll see, that rule is being reconsidered.

Why Are Some Organizations Moving Away from Expiries?

One reason is that frequent password resets encourage poor password habits. Users often make small adjustments to their existing passwords, like changing "Password1!" to "Password2!"—a practice that weakens security. In such cases, the problem isn't the act of resetting the password but rather weak password policies that allow predictable passwords to slip through.

Another factor is the sheer cost of password resets for IT teams. Gartner estimates that 20-50% of help desk calls are related to password resets, and each reset can cost about $70 in labor, according to Forrester. This expense adds up, especially when users forget their new passwords after being forced to create them.

To reduce this burden, some organizations may consider requiring users to create strong passwords just once, and then set them to "never expire."

What Are the Risks of 'Never Expire' Passwords?

While a strong password might provide some sense of security, it’s far from foolproof. Even the strongest passwords can fall victim to phishing schemes, data breaches, or other cyber incidents without the user realizing it. A study by Specops found that 83% of passwords that were compromised still met regulatory standards for length and complexity.

The issue worsens when users reuse their passwords across multiple platforms, like their Facebook or Netflix accounts. The risk of password compromise rises dramatically in such cases, regardless of an organization's internal security policies. A survey by LastPass found that while 91% of users knew the risks of password reuse, 59% admitted to doing it anyway.

Another risk with "never expire" passwords is that compromised credentials can go undetected for long periods. The Ponemon Institute found that it takes an average of 207 days for an organization to detect a breach. Even if passwords are set to expire eventually, attackers can still achieve their objectives before any expiration occurs. This is why NIST and other cybersecurity guidelines recommend setting passwords to "never expire" only if you have mechanisms in place to identify compromised accounts.

How to Detect Compromised Passwords

To manage password security effectively, organizations need more than just an expiration policy. They should guide users to create long, strong passphrases—at least 15 characters in length. Longer passwords drastically reduce the likelihood of brute-force attacks.

Organizations can also implement length-based aging policies, where stronger, longer passwords can be used for extended periods before expiring. This method provides flexibility and eliminates the need for one-size-fits-all password expirations, assuming users adhere to the organization's password policies.

Additionally, organizations must put mechanisms in place to detect compromised passwords, as even strong passwords can be vulnerable. Once compromised, even the strongest password could be cracked almost instantly. Thus, a comprehensive password strategy that covers both weak and compromised passwords is crucial for effective security.

By rethinking password expirations and focusing on better detection and password strength, organizations can strike a balance between user convenience and robust cybersecurity practices.

DragonX Offensive Team

At DragonX Offensive Securities, we are dedicated to safeguarding businesses and organizations against the ever-evolving landscape of cyber threats. With a team of seasoned experts and cutting-edge technology, we provide comprehensive cybersecurity solutions tailored to the unique needs and challenges of our clients.

DISCLAIMER :

The information provided is for general informational purposes only and should not be construed as legal advice. While we strive for accuracy, Dragon X makes no warranties or representations about the completeness, reliability, or suitability of the information presented.

Similar Articles
Image Description
cyber security Cyber Space

Cyberspace refers to the interconnected realm of digital information and communication networks, accessible through computers, smartphones, and oth ...

  • By DragonX Team

  • Updated Apr 08, 2024

Web Security

Password resets are a hassle. Users dislike the frequent interruptions asking them to change their passwords, and the frustration mounts when the new passwords are rejected by company policies. IT teams aren't spared either, often dealing with a flood of service desk tickets related to password resets. Despite these challenges, password expiry is still a widely accepted practice across most organizations.

But is it necessary? Let's delve into why password expiries exist and whether setting passwords to "never expire" might save headaches but ultimately compromise cybersecurity.

Why Do We Have Password Expiries?

The practice of resetting passwords every 90 days was originally designed to protect against brute-force attacks. Organizations don't store passwords in plain text; they store them as cryptographic hashes. When a user logs in, their password is hashed and compared to the stored hash. Attackers trying to crack these passwords run various possibilities through the same hashing algorithm, comparing the results.

To make this more challenging, organizations often "salt" passwords by adding random strings before hashing. The 90-day expiry period was a way to minimize the chances of a password being cracked within the time it would take for an attacker to succeed.

Although technology has advanced, making password cracking faster, many compliance standards (like PCI DSS) still recommend the 90-day reset rule. But as we’ll see, that rule is being reconsidered.

Why Are Some Organizations Moving Away from Expiries?

One reason is that frequent password resets encourage poor password habits. Users often make small adjustments to their existing passwords, like changing "Password1!" to "Password2!"—a practice that weakens security. In such cases, the problem isn't the act of resetting the password but rather weak password policies that allow predictable passwords to slip through.

Another factor is the sheer cost of password resets for IT teams. Gartner estimates that 20-50% of help desk calls are related to password resets, and each reset can cost about $70 in labor, according to Forrester. This expense adds up, especially when users forget their new passwords after being forced to create them.

To reduce this burden, some organizations may consider requiring users to create strong passwords just once, and then set them to "never expire."

What Are the Risks of 'Never Expire' Passwords?

While a strong password might provide some sense of security, it’s far from foolproof. Even the strongest passwords can fall victim to phishing schemes, data breaches, or other cyber incidents without the user realizing it. A study by Specops found that 83% of passwords that were compromised still met regulatory standards for length and complexity.

The issue worsens when users reuse their passwords across multiple platforms, like their Facebook or Netflix accounts. The risk of password compromise rises dramatically in such cases, regardless of an organization's internal security policies. A survey by LastPass found that while 91% of users knew the risks of password reuse, 59% admitted to doing it anyway.

Another risk with "never expire" passwords is that compromised credentials can go undetected for long periods. The Ponemon Institute found that it takes an average of 207 days for an organization to detect a breach. Even if passwords are set to expire eventually, attackers can still achieve their objectives before any expiration occurs. This is why NIST and other cybersecurity guidelines recommend setting passwords to "never expire" only if you have mechanisms in place to identify compromised accounts.

How to Detect Compromised Passwords

To manage password security effectively, organizations need more than just an expiration policy. They should guide users to create long, strong passphrases—at least 15 characters in length. Longer passwords drastically reduce the likelihood of brute-force attacks.

Organizations can also implement length-based aging policies, where stronger, longer passwords can be used for extended periods before expiring. This method provides flexibility and eliminates the need for one-size-fits-all password expirations, assuming users adhere to the organization's password policies.

Additionally, organizations must put mechanisms in place to detect compromised passwords, as even strong passwords can be vulnerable. Once compromised, even the strongest password could be cracked almost instantly. Thus, a comprehensive password strategy that covers both weak and compromised passwords is crucial for effective security.

By rethinking password expirations and focusing on better detection and password strength, organizations can strike a balance between user convenience and robust cybersecurity practices.

DragonX Offensive Team

At DragonX Offensive Securities, we are dedicated to safeguarding businesses and organizations against the ever-evolving landscape of cyber threats. With a team of seasoned experts and cutting-edge technology, we provide comprehensive cybersecurity solutions tailored to the unique needs and challenges of our clients.

DISCLAIMER :

The information provided is for general informational purposes only and should not be construed as legal advice. While we strive for accuracy, Dragon X makes no warranties or representations about the completeness, reliability, or suitability of the information presented.

Similar Articles
Image Description
Web Security Dutch Regulator Imposes €290 Million Fine on Uber for GDPR Breaches in Data Transfers to the U.S.

Uber's GDPR violation stems from its failure to adequately protect personal data during transfers between the European Union (EU) and th ...

  • By DragonX Team

  • Updated Aug 27, 2024

Network Security

Password resets are a hassle. Users dislike the frequent interruptions asking them to change their passwords, and the frustration mounts when the new passwords are rejected by company policies. IT teams aren't spared either, often dealing with a flood of service desk tickets related to password resets. Despite these challenges, password expiry is still a widely accepted practice across most organizations.

But is it necessary? Let's delve into why password expiries exist and whether setting passwords to "never expire" might save headaches but ultimately compromise cybersecurity.

Why Do We Have Password Expiries?

The practice of resetting passwords every 90 days was originally designed to protect against brute-force attacks. Organizations don't store passwords in plain text; they store them as cryptographic hashes. When a user logs in, their password is hashed and compared to the stored hash. Attackers trying to crack these passwords run various possibilities through the same hashing algorithm, comparing the results.

To make this more challenging, organizations often "salt" passwords by adding random strings before hashing. The 90-day expiry period was a way to minimize the chances of a password being cracked within the time it would take for an attacker to succeed.

Although technology has advanced, making password cracking faster, many compliance standards (like PCI DSS) still recommend the 90-day reset rule. But as we’ll see, that rule is being reconsidered.

Why Are Some Organizations Moving Away from Expiries?

One reason is that frequent password resets encourage poor password habits. Users often make small adjustments to their existing passwords, like changing "Password1!" to "Password2!"—a practice that weakens security. In such cases, the problem isn't the act of resetting the password but rather weak password policies that allow predictable passwords to slip through.

Another factor is the sheer cost of password resets for IT teams. Gartner estimates that 20-50% of help desk calls are related to password resets, and each reset can cost about $70 in labor, according to Forrester. This expense adds up, especially when users forget their new passwords after being forced to create them.

To reduce this burden, some organizations may consider requiring users to create strong passwords just once, and then set them to "never expire."

What Are the Risks of 'Never Expire' Passwords?

While a strong password might provide some sense of security, it’s far from foolproof. Even the strongest passwords can fall victim to phishing schemes, data breaches, or other cyber incidents without the user realizing it. A study by Specops found that 83% of passwords that were compromised still met regulatory standards for length and complexity.

The issue worsens when users reuse their passwords across multiple platforms, like their Facebook or Netflix accounts. The risk of password compromise rises dramatically in such cases, regardless of an organization's internal security policies. A survey by LastPass found that while 91% of users knew the risks of password reuse, 59% admitted to doing it anyway.

Another risk with "never expire" passwords is that compromised credentials can go undetected for long periods. The Ponemon Institute found that it takes an average of 207 days for an organization to detect a breach. Even if passwords are set to expire eventually, attackers can still achieve their objectives before any expiration occurs. This is why NIST and other cybersecurity guidelines recommend setting passwords to "never expire" only if you have mechanisms in place to identify compromised accounts.

How to Detect Compromised Passwords

To manage password security effectively, organizations need more than just an expiration policy. They should guide users to create long, strong passphrases—at least 15 characters in length. Longer passwords drastically reduce the likelihood of brute-force attacks.

Organizations can also implement length-based aging policies, where stronger, longer passwords can be used for extended periods before expiring. This method provides flexibility and eliminates the need for one-size-fits-all password expirations, assuming users adhere to the organization's password policies.

Additionally, organizations must put mechanisms in place to detect compromised passwords, as even strong passwords can be vulnerable. Once compromised, even the strongest password could be cracked almost instantly. Thus, a comprehensive password strategy that covers both weak and compromised passwords is crucial for effective security.

By rethinking password expirations and focusing on better detection and password strength, organizations can strike a balance between user convenience and robust cybersecurity practices.

DragonX Offensive Team

At DragonX Offensive Securities, we are dedicated to safeguarding businesses and organizations against the ever-evolving landscape of cyber threats. With a team of seasoned experts and cutting-edge technology, we provide comprehensive cybersecurity solutions tailored to the unique needs and challenges of our clients.

DISCLAIMER :

The information provided is for general informational purposes only and should not be construed as legal advice. While we strive for accuracy, Dragon X makes no warranties or representations about the completeness, reliability, or suitability of the information presented.

Similar Articles
Image Description
Network Security BlackByte Ransomware Leverages VMware ESXi Vulnerability in New Attack Wave

BlackByte ransomware is known for its ability to quickly spread across networks, encrypting files and demanding payment for decryption keys. ...

  • By DragonX Team

  • Updated Aug 28, 2024

Latest News and Updates

Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware
Nov 11, 2024

Cybercriminals Use Excel...

Cybersecurity researchers have discovered a...
The ROI of Security Investments: How Cybersecurity Leaders Prove It
Nov 11, 2024

The ROI of...

Cyber threats are intensifying, and...
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services
Nov 09, 2024

AndroxGh0st Malware Integrates...

The threat actors behind the...
Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns
Nov 09, 2024

Palo Alto Advises...

Palo Alto Networks on Friday...
A Sherlock Holmes Approach to Cybersecurity: Eliminate the Impossible with Exposure Validation
Nov 08, 2024

A Sherlock Holmes...

Sherlock Holmes is famous for...

Latest News

  • Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware

    1

    Posted Date Nov 11, 2024

    Cybercriminals Use Excel...

    Cybersecurity researchers have discovered a...
  • The ROI of Security Investments: How Cybersecurity Leaders Prove It

    2

    Posted Date Nov 11, 2024

    The ROI of...

    Cyber threats are intensifying, and...
  • AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

    3

    Posted Date Nov 09, 2024

    AndroxGh0st Malware Integrates...

    The threat actors behind the...
  • Palo Alto Advises Securing PAN-OS Interface Amid Potential RCE Threat Concerns

    4

    Posted Date Nov 09, 2024

    Palo Alto Advises...

    Palo Alto Networks on Friday...
  • A Sherlock Holmes Approach to Cybersecurity: Eliminate the Impossible with Exposure Validation

    5

    Posted Date Nov 08, 2024

    A Sherlock Holmes...

    Sherlock Holmes is famous for...
X
DragonX Cookie Policy

At DragonX, we employ cookies on our website to enhance the site, providing the best service and customer experience possible

Category

Necessary (Always active)

These cookies enable essential site features like secure log-in and consent preference adjustments, without storing any personally identifiable data

Functional

This category aids in specific functions such as sharing website content on social media platforms, receiving feedback, and incorporating third-party features

Analytics

Analytical cookies are utilized to comprehend visitor interactions on the website, offering insights into metrics like visitor numbers, bounce rates, and traffic sources

Performance

These cookies help in understanding and analyzing important performance indicators of the website to enhance the user experience

Advertisement

Tailored advertisements are provided to visitors based on previously visited pages, while also evaluating the effectiveness of ad campaigns