Full Report
The US government is finally admitting there’s no need – instead, to fend off cyber-attacks we need passwords that are long but memorableOver the past decade or so, people have accumulated a vast array of logins for dozens of sites and apps, as more of our work and home lives moves on to the internet. That’s why it has never made sense that so many IT departments have belligerently insisted on maintaining a major hurdle to password management. Namely, the need to change passwords regularly.It’s a familiar scenario. You arrive at the office and need to log on to your company laptop quickly, before your morning meeting. But speed is not going to be of the essence today, because an annoying prompt has appeared: you need to change your password.Kate O’Flaherty is a freelance technology journalist Continue reading...
Analysis Summary
# Best Practices: Modern Password Security and Management
## Overview
These practices address the shift in cybersecurity consensus away from mandatory frequent password resets and towards longer, more memorable passphrases, focusing on reducing user friction that leads to weak security behaviors.
## Key Recommendations
### Immediate Actions
1. **Cease Mandatory Password Expiration:** Immediately remove any organizational policies requiring users to change their passwords on a fixed schedule (e.g., every 90 or 365 days) unless a compromise is suspected.
2. **Inform Users of the Change:** Communicate clearly to all staff that mandatory periodic password resets are no longer required, citing guidance from NIST and NCSC.
3. **Audit Password Strength Metrics:** Review current password policies to ensure they disallow extremely short or trivially guessable passwords, focusing on minimum length requirements immediately.
### Short-term Improvements (1-3 months)
1. **Implement Password Length Enforcement:** Configure authentication systems to enforce a minimum password length of **15 characters** (ideally) or at least **8 characters**, with a maximum limit of 64 characters.
2. **Promote Passphrase Adoption:** Actively educate users on creating strong, long passphrases (e.g., using three random words) rather than complex but short, rotated character strings.
3. **Restrict Substitution Tricks:** Explicitly warn users against common obfuscation techniques like replacing 'o' with '0' (leetspeak), as these are easily defeated by attackers and hinder memorability.
4. **Migrate Off Weak Passwords:** Initiate checks to identify users still employing known common or weak passwords (e.g., "password123") and force an immediate, one-time reset for those specific accounts, providing guidance on passphrase creation.
### Long-term Strategy (3+ months)
1. **Investigate Passwordless Solutions:** Begin researching and piloting modern, phishing-resistant authentication methods such as FIDO standards (WebAuthn), utilizing biometrics (Face ID, Touch ID) or secure hardware tokens (YubiKey) as replacements or primary factors instead of relying solely on passwords.
2. **Strengthen Compromise Detection:** Enhance monitoring and threat intelligence integration to rapidly detect and respond to password compromise events, ensuring that resets are only triggered when a direct threat is identified, not proactively.
3. **Establish Secure Password Choice Training:** Roll out comprehensive training focused on password memorability vs. complexity, emphasizing methods like the "three random words" technique over complex rotations.
## Implementation Guidance
### For Small Organizations
- **Focus on Policy Change:** Immediately align internal password policies with current NIST standards to eliminate unnecessary reset friction.
- **User Education:** Use a single, clear announcement (email or short meeting) backed by links to NCSC resources to explain the new, simpler, stronger password rules.
- **Tool Leveraging:** If budget allows, adopt a reputable password manager to help users manage long, unique passphrases across different services.
### For Medium Organizations
- **System Configuration:** Systematically update Group Policy Objects (GPOs), Active Directory/LDAP settings, and application login modules to reflect the new minimum and maximum length requirements.
- **Helpdesk Preparation:** Train IT support staff on the rationale behind dropping mandatory resets to handle user inquiries effectively and reinforce new best practices.
- **Baseline Auditing:** Run reports to identify and remediate accounts utilizing the top 10 most common passwords identified in industry reports.
### For Large Enterprises
- **Phased Rollout:** Develop a formal roadmap to phase out password reliance, possibly starting with enabling FIDO authentication as an *option* before attempting widespread mandates.
- **Framework Alignment:** Formally document the updated password rotation policy within the enterprise security framework and conduct an impact assessment against existing compliance requirements.
- **Incident Response Integration:** Update Incident Response Playbooks to clearly define the specific conditions under which a forced password reset will be actioned (i.e., confirmed compromise vs. routine schedule).
## Configuration Examples
*None explicitly detailed in the text, beyond character limits.*
**Policy Parameter Recommendations (Based on NIST/NCSC Guidance):**
| Setting | Recommended Value | Notes |
| :--- | :--- | :--- |
| Minimum Length | 15 characters (preferred) or 8 characters (minimum) | Focus on length over complex character substitution. |
| Maximum Length | 64 characters | Prevents overly long pre-hashed passwords or storage issues. |
| Expiration Frequency | Disabled (unless compromise detected) | Do not enforce periodic resets. |
| Reset Trigger | Confirmed compromise (breach, suspicious activity) | Only reset on verifiable risk events. |
## Compliance Alignment
- **NIST SP 800-63B:** This guidance directly reflects the update in the NIST Digital Identity Guidelines, shifting away from mandated periodic entropy decay toward duration-based complexity and breach-driven resets.
- **NCSC (National Cyber Security Centre):** Consistent with NCSC's long-standing advice against forced regular password expiration.
## Common Pitfalls to Avoid
- **Reverting to Short Passwords:** Users, relieved from frequent changes, might default to extremely short or easily guessed passwords because they are easier to remember. Counter this with strong minimum length enforcement.
- **Ignoring Passphrase Obfuscation:** Believing that swapping one character (to bypass filter) makes a password secure. Attackers expect and easily bypass these patterns.
- **Partial Policy Updates:** Removing the 365-day check but failing to set a meaningful minimum length (e.g., keeping it at 6 or 7 characters).
- **Forcing "Creative" Resets:** Creating complex internal rules about acceptable characters or structure, which discourages memorability and leads to predictable, simple pattern alterations.
## Resources
- **NIST SP 800-63B (Digital Identity Guidelines):** Primary technical reference for authentication standards.
- **NCSC Top Tips:** Guidance on using three random words for password creation.
- **FIDO Alliance:** Resources for exploring passwordless authentication leveraging biometrics and hardware tokens.
- **Industry Password Lists (e.g., NordPass reports):** Use these to understand the typical weak passwords employees might be using to improve baseline auditing.