Why Required Password Changes Reduce Security

So I was listening to the Risky Business podcast this week and heard Adam Boileau mention something extremely juicy in passing during the news segment.

Patrick asked him about Microsoft removing password expiration in an upcoming version of Windows, and if he thought that was a good or bad thing. His response was super interesting.

They also mention later that there are exceptions where you definitely want to rotate them.

Patrick pushed further, and here’s how he expanded on it.

He went on to say that this is because, “you settle on a scheme.”

Patrick wanted him to write a report on this—which would be fantastic—but Adam said he’s too busy.

And 2FA of course.

But I thought it was a brilliant nugget, and too good not to capture.

Basically, empirical data showing that if you’re using super-strong passwords—that are unique—it’s markedly worse to force users to change them often because the organization will end up with weaker ones over time.

Good to know.

And I do hope Adam eventually writes that paper.

Notes

1. This has always been intuitive to me, and I’m sure many others, that if you rely on the human they’ll build security that matches their limitations (in this case memory). This is why there’s been such a push for password managers. It was just so interesting to hear about actual data collected to support our intuition.

2. Some might say we’ve not yet seen the data, so we can’t really come to any conclusions. My response is that you have to choose to trust if you want to expand your knowledge of the world beyond your own experience. And the Risky Business show, Patrick, and Adam are definitely on that list for me.

Related posts:

1. Comparing My Top Four Security Podcasts/Newsletters

2. My 3 Favorite Security Podcasts, And How They’re Different From Each Other

3. 10 Behaviors That Will Reduce Your Risk Online