Cyber security is the hot topic these days with hackers having their way with unsuspecting victims, and proper password management is a great way to first handedly combat intruders before they have a chance to breech your system completely. When it comes to password protection, the old rule of thumb has been: change them, and change them often. Experts, though, are now suggesting that you shouldn’t be changing your password nearly as often as once believed. “But that doesn’t make any sense!” screams the IT professional. Well, actually, when you look at the science behind it – yes, I said science – it all starts to make a lot of sense.
An article recently published on the FTC’s website states that a study conducted by the University of North Carolina at Chapel Hill found that regular password changes affect the security level of the passwords themselves because of the way the human brain works. UNC researchers formulated algorithms using the passwords of over 10,000 inactive accounts of former university students, faculty and staff. In addition to these passwords, researchers were also allotted access to each of these users previous passwords, in sequences ranging from four to 15. The resulting algorithms illuminated the fact that the more often someone was prompted to change their password, the less mental effort went into making sure the password was unique. After just a couple password changes, the brain begins to simplify the process by only changing a single character, or reusing old passwords that expired several issuances ago. Because the uniqueness of the password is quickly lost over time, the account is more susceptible to a security breech because the pattern becomes easy to predict.
So, how often should you change your password? Well, The National Institute of Standards and Technology (NIST) actually recommends a few other methods of maintaining password security to enterprises that maintain sensitive data within their systems:
- Encourage your associates to put effort into creating their initial passwords so that they have longevity and uniqueness – something that they can remember, but can’t be linked to any of their personal accounts.
- Limit the amount of log-in attempts for the system in question: the fewer attempts at guessing a password a hacker has, the better chances are you won’t have to worry about a security breech.
- Instead of requiring mandatory password resets, instead require that users adhere to specific password lengths and complexity requirements. If they are able to establish a fairly lengthy and complex password from the initial set-up, the more likely the password will endure.
- Multifactor authentication! Combining different password protection procedures is always better than relying on a single method of user authentication.
If you initiate a combination of any of the above suggestions, then you can assure password security without the dreaded mandated company-wide password change. When employees are able to maintain strong, differentiating passwords then the company’s information remains safe and your associates don’t lax on their personal security standards because they’re tired of changing their passwords, yet again.