Your password is set to expire in 2 days. Please reset your password now.
Many people react to that message with a grumble or groan. Again? Already?
Considering the way people choose new passwords, many authorities are questioning whether this mandatory password reset policy is even worth it.
The Problem With Password Reset Policies
Recent guidance from the National Institute of Standards and Technology (NIST) and Microsoft®has questioned the value of this password reset policy. Their research indicates that people have such poor password practices that the reset policy is counterproductive.
For example, in response to password reset policies, users frequently:
- Select passwords that just add a number to an existing password (e.g., ACAaponix1, ACAaponix2, ACAaponix3, etc.)
- Reuse passwords (if allowed)
- Use passwords that are easily guessed (e.g., password1)
- Write passwords down
Rather than have users choose even more insecure passwords, NIST and Microsoft suggest just doing away with the password reset policy completely. Unless a password has been compromised, they say just let it stay in use.
The Problem(s) With Doing Away With Password Resets
This line of thinking has a number of problems.
- Password resets prevent ongoing damage.
Changing passwords at a specified time limit has benefits beyond current access protections. For example:
- Halting ongoing unauthorized access that may remain undetected
- Preventing access to systems that are compromised while the access is in a dormant state (e.g., on the dark web potentially being sold for auction)
In general, a best practice is to assume that every password will be compromised (stolen, hacked, or bypassed) at some point. A password reset policy, despite poor password practices, provides added protection.
- Password resets provide protection when other cybersecurity controls are not in place.
Password reset policy removal might be acceptable if there are other protective cybersecurity controls in place (see below). But if this is the only real control, doing away with it is not advisable.
Only remove the password reset policy if there are other robust cybersecurity controls in place.
Solid cybersecurity controls in the following areas, for example, would make consideration of modifications to the password reset policy feasible:
- Use of a secure password management tool to store and generate strong/unique passwords
- Multi-factor authentication (MFA)
- Least privileged access (only allowing the minimum access needed for a user’s role)
- Conditional access (only allowing access from trusted devices/networks)
- Anomaly detection/logging
- Risk assessments and subsequent control implementation
- Mechanisms to ensure employee compliance with cybersecurity policies and procedures
If you have those other controls you might remove your password reset policy, although it still might be worth keeping for ongoing damage reasons.
If you don’t have those other controls, do not abandon the reset policy. Keep those “set to expire” messages coming.
How We Help
ACA offers the following solutions that can help firms enhance their cybersecurity:
- Password strength best practices
- Phishing testing and cyber awareness
- Penetration testing and vulnerability assessments
- Threat intelligence
About the Author
Ibrahima (Ebu) Mbaye is a Senior Principal Consultant at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. In his role, Ebu conducts technology risk assessments, Office 365 assessments, AWS assessments for ACA clientele, and also works as a virtual CISO (vCISO) for some clients.
Before joining ACA Aponix, Ebu served as the Global Chief Information Security Officer at Computer Generated Solutions, before joining CGS Ebu was the Chief Information Security Officer at HBK Capital Management and the Global Head of Information Security at AGT International. Earlier in his career Ebu held multiple management and engineering roles at international banks and asset management firms.
Ebu earned his Bachelor of Science degree in Computer Information Systems from John Jay College of New York. He is also a Certified Information Security Manager (CISM), a Certified Information Systems Security Professional (CISSP), a Certified Ethical Hacker (CEH), and a Certified Penetration Tester (CPT).