I get asked various questions throughout the day about safety, compliance, policies, technologies etc.  Below is my detailed response to the question: why do we need to change our passwords on a regular basis?

 Why do we change passwords on a regular basis?

1. It is required by regulations and standards
2. It mitigates the problems that would occur if an attacker acquired the protected (i.e., “hashed”) passwords from a system.  Ideally, the password would be set to expire before the attacker could actually “brute force” the password from its protection and use it.  That is, the protection around the password is strong enough to hold off the brute force attack for 90 days (for example).  This is becoming more challenging with powerful computers
3. Passwords are often stolen (e.g. via phishing) without the knowledge of the victim and not used immediately. These passwords are sold to organized crime. A password change will prevent the use of it by a thief.

What are healthcare companies doing?

1. Below are the results from an informal and non-scientific survey posted to the “National Health Infrastructure Information Sharing & Analysis Center” email distribution list in September 2016.
2. Question Asked:
3. How often are people resetting passwords?
4. Results
5. 30 Day – 1
6. 60 Day – 2
7. 90 Day – 10
8. 120 Day – 2
9. 365 Day – 2

What is some recent research on mandatory password expiration?

1. Both the Federal Trade Commission (FTC) and National Institute of Standard and Technology (NIST) have published papers/blog posting on requiring individuals to change their passwords on a regular basis.  The FTC blog posting specifically references specific studies from various universities.

What are some key points from the NIST posting?

1. Routine password expiration / changes is “out.” Expiration encourages choice of less complex and/or multiple use passwords (e.g., using the password for your Gmail and work network login). Password changes should only occur if there is evidence of compromise
2. Longer passwords are “in” (e.g. 8 character min,.> 64).
3. Disallowing known weak / bad  passwords is in (P@ssw0rd)

What are some key points from the FTC blog posting?

1. Individuals who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily (e.g. “B@dpassword1” becomes “B@dpassword2”)
2. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems

Where can I find more information?

I used the resources below to help with my response to your great question.

1. http://www.slideshare.net/jim_fenton/toward-better-password-requirements
2. https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
3. http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2015-10/oct23_choong_password.pdf
4. https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
5. https://pages.nist.gov/800-63-3/

The Takeaways:  

1. Each organization needs to critically evaluate all of their current administrative policies related to password management. Each company needs to weigh the costs and benefits of password expiration and consider other changes.  For example, a company may extend the password expiration time from 90 days to 180 days (or longer), but require longer passwords/password phrases. Based on the work of one researcher, the length would have be at least 14 characters to with stand a brute force attack
2. Passwords will continue to be used at several organizations for several reasons:
   • Several regulations and standards still require periodic changes of passwords. For example, the Payment Card Industry Data Security Standard (version 3.1) requires passwords to be changed every 90 days.  HIPAA only states that passwords need periodic change cycles. The Health Information Trust Alliance’s Common Security framework (version 8.0, a framework for security controls for healthcare care companies, requires passwords to be changed every 90 days.
   • Several applications do not support long passwords so forced password resets would still be need.