With identity security becoming paramount, the concept of password expiration/rotation is coming into contention among today’s IT organizations. For instance, Microsoft® recently announced that they will no longer require password expiration for their internal employees. Beyond that, the Windows® 10 OS baseline security policy will not require password expiration. New NIST guidelines have also stated a similar point of view. While every company is entitled to their own password security policies, it might be best if organizations don’t expire passwords but extend and secure them instead.
Password Expiration Through the Years
Since the early days of identity security, password expiration/rotation has been a method employed by IT admins to cycle end users’ passwords. The thought process behind this practice was based around the estimation that the average computer of the day could determine a hashed password in around 90 days. So, to keep ahead of the “bad guys”, a user would have to cycle their password on a similar schedule.
Additionally, in order to simplify their own authentication process, end users are likely to reuse passwords/use personal passwords for work accounts. By enforcing password expiration, work passwords need to be continuously changed, eventually forcing the user to create unique passwords. Ideally, this would also make their passwords less likely to be compromised. Unfortunately, although there are certain benefits to this practice, there are also some major drawbacks.
Problems with Password Expiration
Having to frequently change their passwords often means that users are creating easier to remember, and therefore easier to hack, passwords. An example of this is the classic “password123” written on a sticky note stuck to the monitor. Although often treated comically, it is, unfortunately, a very serious reality for many IT admins. While it can be avoided by the use of password managers, the security risk of this practice is apparent. Another obvious repercussion of this is an increase in password reset tickets for help desk staff.
One of the core reasons behind password expirations, the limitation of computers past, is also no longer a factor. Today’s computers are much more adept at cracking a simply hashed password, and beyond that, today’s hackers are getting increasingly clever. Phishing, spoofing, and sophisticated social engineering schemes for stealing passwords are constant threats to IT organizations, and password expiration simply can’t defend against them.
Today’s Opinion of Password Expiration
Because of its obvious fallibility, many of today’s top voices in the IT space are strongly opposed to password expiration. A major example is Microsoft, whose solutions like Active Directory® long supported the practice of password expiration. The tech giant recently eliminated password expiration/rotation baseline policies from their most recent version of the Windows OS, Windows 10. In a recent discussion on the topic, Microsoft stated that while they no longer support these policies internally, they are very much in favor of minimum password length and complexity requirements.
Another big voice of IT, the National Institute of Standards and Technology (NIST) has also declared that password expiration is unnecessary in their most recent version of the 800-63 password guidelines. NIST is a widely required compliance standard, so for them to take a stance against password expiration is certainly significant.
Time to Stop and Think
Now, obviously, your organization might have security policies or other compliance regulations that require password expiration, but for those that have no driving reason for rotating user passwords, it might be time to look at authentication more holistically. If end users create a password that is long, complex, and backed by multi-factor authentication (MFA), their passwords will be significantly harder to crack, making password expiration simply unnecessary.
Now, there are several options IT admins could employ to help them enforce strong passwords paired with MFA, but there is really only one that they can leverage to do so across virtually all IT resources. Additionally, this solution features a True Single Sign-On™ experience, meaning end users only need a single set of strong credentials to access their systems, networks, applications, infrastructure, and more.
One Identity to Rule Them All®
True Single Sign-On is available from JumpCloud® Directory-as-a-Service®, the next generation cloud directory service for modern IT organizations. IT admins can use JumpCloud to manage their users and their access to all of said resources with the ability to enable MFA for many of them. JumpCloud also features configurable password complexity settings and SSH key management, making it easy for IT admins to enforce strong credentials across their entire organization. End users also benefit in that they have one password to gain access to virtually all of their IT resources.
Of course, if necessary, admins can also use JumpCloud to enforce password expiration. In this day and age, however, it may be easier on admins (and their end users) if they don’t expire passwords, but instead extend and secure them with complexity and MFA.
Try JumpCloud for Free
If you are interested in using JumpCloud to secure your organization’s passwords, you can do so absolutely free. Signing up for a JumpCloud account guarantees you ten complimentary users in the platform, usable forever. After you exceed ten users, you can explore our pricing page to see how JumpCloud can scale to meet your organization’s needs.
If you would like to learn more about the Directory-as-a-Service product, please contact us. We’d be happy to share more information with you. You can schedule a personalized demo of the product for free as well.