Forcing users to change passwords regularly is STUPID, especially now in 2022

Leonard Sengere Avatar

At some point, security experts frantically scrambled to figure out a way to protect the masses online from ever complex hackers. See, hackers have been getting more daring as their skill sets have improved over the years. Security experts crunched the numbers and saw one way we could reduce our chances of getting hacked – passwords. Strong ones.

The logic of using stronger passwords is supported by the math. If the goal is to make it harder for hackers to guess your password through brute force, the longer it is, the better. Making it complex by using both lowercase and uppercase letters, numbers and special characters (like !@#$) makes it that much harder to ‘guess’ it by brute force.

Simple graphic by Security.org via statista shows that an 8 character password with lowercase letters only would be cracked instantly while an 8 character one with an uppercase letter, number and special character would be cracked in 8 hours. Showing that 8 characters is simply too short in 2022.

12 characters with an uppercase letter, number and special character would need 34,000 years to be cracked. 

It should be mentioned that as computers gain in power, these times will be reduced. So get ready to be told your 18 character password is too short in a few years’ time.

Of course the public accepted this sound advice, to an extent. We started by adding ones and twos to our names but eventually came up with properly complex passwords. We had no choice, the security guys mocked our ‘weak’ efforts and forced us to come up with stuff like !CH0_ch1b@b3$T. We thought that was that but we had given security experts an inch and they wanted the whole mile.

Forced password changes

Suddenly, they decided it wasn’t enough to have the long, strong, complex password. You needed to come up with a new long, strong, complex password every so often. This is where they lost us. I hate this security policy, I hate it with all my being. I am not the only one who had strong negative feelings about it and the research shows.

On paper, it makes sense to think changing your complex password regularly would improve security. That is if we ignore human behaviour and even the limits of the human brain. 

As it is, forcing me to remember a 15 character string with uppercase letters, numbers and symbols is a heck of an ask. Especially when it’s a password I only have to input once in a while. Which is reality for most people as we keep our accounts logged in until something goes wrong.

Further asking us to come up with and remember new complex passwords every other month is, frankly, asking for too much. Turns out when they forced us to do this, we all just ended up either just adding a 1 at the end or writing the password in a diary. 

Human behaviour cannot be conquered

So, their security measure is meant to; make historical password information useless (which doesn’t materialise because users will only add a 1 to their existing complex passwords and hackers know to try that first), create a moving target for hackers and force users to think about security. Instead, 

  • it means users will re-use passwords from other accounts. Can’t expect them to have different 15 character combinations for each and every account they have.
  • Users will forget passwords
  • To make sure they don’t forget again, they will write the passwords down
  • And to doubly make sure, they will use weaker passwords, which could just mean adding a 1 to the current one

All this defeats the purpose of the security measures.

Why researchers no longer recommend forced password changes

The benefit of frequent changes is suspect. The fear is that passwords might be stolen (not necessarily brute forced) and an unauthorised user might gain access to a system or account. The question then becomes how likely is it that passwords will be stolen? The probability is low for most accounts. The chance of most users being brute-forced is low too and in any case people are using the complex passwords they made us use.

Then again, even if the chance that the password will be stolen is high, there are limited advantages to having users change passwords every 60 days. The hackerr would have had weeks of access and harvested all the data they could handle by that point. If we really fear the passwords will be stolen, shouldn’t they be changed daily, or even multiple times a day? To allow for 60 or 90 days of unauthorised access is stupid.

We can’t ask users to change passcodes daily, except in places like militaries, because we introduce that problem of people choosing weaker passwords they can remember or writing them down where they can be stolen. So, we might as well try other ways to make sure they are not stolen. Not the half measure that is a 60 day expiration.

We do know too that in the event of actual security breaches, mandatory password changes are requested immediately. Then what benefit does the 60 day enforced change have? If you are going to tell me to change my password because it has been compromised, the regular changes were for nothing.

The cost of forgotten passwords

People forgetting their passcodes presents its own challenges. It leads to frustration for users, added work for system admins and all of that for questionable benefits.

We mentioned the waste of money and time. In dollar terms, large US companies allocate $1 million a year for password-related support costs, with a single password reset costing about $17. 

You can imagine how a company like Econet with millions of subscribers would need a larger customer support staff. Especially when you consider that between 20%-50% of all IT help desk calls are for password resets, ranging from 2-30 minutes to fix.

No wonder even Microsoft decided the disadvantages of forced password changes probably outweighed the benefits

What to do instead

There will be no perfect solution but here’s what experts are saying these days:

  • Monitor logins to detect unusual use
  • Notify users when attempts have been made to login to their accounts, let them disclose if it was them
  • Notify them when their passwords have been changed
  • Use multi-factor authentication

That’s it. Hopefully this annoying password reset issue will be a thing of the past when we take stock this time next year.

,

5 comments

What’s your take?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  1. Itai

    This is the worst article ever. GAra kaiwe ne same password uone kuti ma one haayange here ne Team ye social engineering. Chete uri blohger wepa techzim. Ini i was hacked and hot mu password stolen twice. Technologu uakumberi. MU job jas sysyyema that now uses 2 factor cjakadaro. Nyangwe hazvo pple vanokanganwa so a reminder to change passwords should be done da

    1. LITE

      First of all this is not the worst article ever its just an awareness that there is no need to change passwords ‘regularly’ as long as your password is strong. The article didn’t say that we should never change our passwords. Secondly l bet if your password was hacked. There is a difference between hacked and stolen. Hacking a password is not a joke. Ndimi team rajaira kuhackerwa maWiFi ane WPS enabled mobva mate WiFi yang yahekwa. So first of all understand the Article and then comment, Tozviziva Chirungu chonetsa wangu

    2. Leonard Sengere

      Are you saying all the research that has gone into this is useless? The security experts that are advising system administrators to stop forcing regular password changes are stupid? The companies that have moved from this practice are fools?

      LITE answered you well. You advocate for regular changes which probably forced you to write your password down in the Notes app on your phone, someone saw it and now you claim to have been ‘hacked.’ Your password has been getting weaker every time you have been forced to change it too. Leaving you even more vulnerable.

      Tell me though, if indeed you are that high of a target and at the same time susceptible to social engineering. How does being forced to change your password every 60 days help you? Are these ‘hackers’ looking for lifetime access to your accounts with that being the only way they can hurt you?

      The solution for you would be to work on what makes you susceptible to social engineering. This comes from first acknowledging we all are susceptible. Teach yourself to be suspicious and follow basic security protocols as taught everywhere.

      I like that at your job you are now using 2 factor authentication (the 2 factor chakadaro you mentioned). That’s exactly what security experts are advocating for as mentioned in the article.

      On people forgetting, you seem to be okay with that. Go back to the article and see how problematic that is.

    3. Imi Vanhu Musadaro

      Explain how you were hacked and, most likely, changing your password monthly would not even have helped you.

      People install apps from the wild or Shareit and create accounts on any site that asks them too, then claim it’s hackers that’s compromised them.

  2. Captain

    I don’t understand what the fuss is all about guys…be realistic you live in a 3rd world country what does a hacker benefit for hacking folks like you 😏 Our government filled with all the dooshbags that you could ever think of knows Security Code 101 “If you are suspectible to hackers threat NEVER have your sensitive data online” As simple as that ,problem solved weak or strong password it doesn’t matter much If you are a target then you will get hacked as plain as that….

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed