Password expiration and the associated rotation of passwords have been a long-standing pillar of identity management in IT. But, with modern innovations, there are good reasons why you may not need password expiration.
Of course, we should be clear that this isn’t a blanket statement for all organizations. For some organizations, rotating passwords may be the right thing to do and even required by their auditors. But, there is also new research and guidelines that suggest that expiring passwords after a certain amount of time may not be as beneficial as once thought.
Why Rotate Passwords?
Centrally, the impetus behind password expiration is that some end users leverage the same passwords for a number of different places and resources, and even share passwords among themselves. Repeated and shared passwords are frequent problems in organizations, and if said passwords were to be compromised, the consequences could be dire indeed.
The argument is that, by rotating the password, even if some other site has been compromised, it won’t compromise the organization. Password rotation also creates a disincentive to share passwords with other users because those passwords would soon expire. But, in today’s IT landscape, challenges to this traditional idea are cropping up.
Password Rotation Today
With advancements in modern IT, more users are becoming savvy about protecting their passwords. The use of password managers has helped reduce the frequency of shared passwords or the same password being used in multiple places. Password managers can automatically generate complex passwords and store them so users don’t need to remember them or write them down where they can be compromised.
And, perhaps one of the most critical advancements in protecting passwords has been the use of two- or multi-factor authentication (2FA or MFA, respectively) in many places. Even if a password has been compromised, the user would need to determine the second factor, often time-based or otherwise represented by physical means, to authenticate into the IT resource. This extra hurdle is a steep one for hackers, as Symantec has found that 85% of breaches could have been prevented using 2FA.
Password Rotation (Read more...)
*** This is a Security Bloggers Network syndicated blog from Blog – JumpCloud authored by Zach DeMeyer. Read the original post at: https://jumpcloud.com/blog/why-no-password-expiration/