Is Password Expiration Antiquated?

By Zach DeMeyer Posted June 23, 2019

With all of the changes in the identity and access management (IAM) world, is password expiration antiquated now? It’s a great question and highly relevant in light of NIST’s latest guidance (and not to mention changes from major organizations, like Microsoft®). With that in mind, let’s talk about the evolution of password expiration and rotation.

The History of Password Rotation

Historically, password rotation has been a core part of an IT admin’s approach to security. With less security-savvy end users sharing passwords to IT resources and a lack of enhanced IAM security, it made a great deal of sense why IT organizations would enforce password expiration/rotation. By keeping these passwords “fresh”, IT admins could limit the amount of time a potentially compromised set of credentials would be valid/usable to breach a company’s resources. Not to mention that if there were shared passwords as the passwords were rotated, old users would no longer have access.

While the concept of password expiration may still be highly relevant for your organization, for many organizations, asking end users to rotate their passwords may not be necessary.

Changing the Password as We Know It

As security researchers continue to analyze password safety, they are shifting their recommendations from those made in yesteryears. These have been encapsulated by NIST in their latest guidelines, which call for the use of longer passwords wherever possible and recommend against rotating passwords. Internally, Microsoft has also decided against password rotation among their employees. Add in the possibility of using multi-factor authentication (MFA), and the game is completely different on password security.

Another critical innovation has been the call for end users to use unique passwords wherever possible. With this push in protocol, the use of password managers have also increased significantly. Other vendors are looking to forego the password altogether, using biometrics and phone notifications to serve the same purpose as passwords for authentication. These changes have signaled an opening for a new approach to password expiration.

Of course, not every organization can move away from password expiration—some rely on it to meet their compliance and regulatory responsibilities. Regardless of your viewpoint, it is good to know that there are options for organizations when it comes to solutions for password rotation/expiration, such as JumpCloud® Directory-as-a-Service®.

What is JumpCloud?

As the first cloud directory service, JumpCloud enables IT admins to manage their users and their access to virtually all of their IT resources. That includes systems, networks, email, applications, infrastructure, and more, regardless of platform, protocol, provider, or location. JumpCloud allows end users to leverage a single set of credentials for all of these resources, and allow admins to manage how those users’ passwords are maintained.

JumpCloud aids admins in their efforts to support their organization’s approach to password expiration, whether that is to eliminate password expiry altogether or keep it and enforce a rotation schedule. IT admins can use JumpCloud to enforce a time frame for end users to reset their passwords, as well as set complexity and length requirements to meet NIST standards if they need to.

Manage Passwords With JumpCloud

If you would like to manage your organization’s stance on password expiration/rotation, give JumpCloud a try today. Signing up for JumpCloud is completely free, with ten users in the platform included for free as well.

If you would like to learn more, consider scheduling a demo of the product or contacting us. We’d be happy to help you.

Zach DeMeyer

Zach is a writer and researcher for JumpCloud with a degree in Mechanical Engineering from the Colorado School of Mines. He loves being on the cutting edge of new technology, and when he's not working, he enjoys all things outdoors, making music, and soccer.

Recent Posts