Feb 21 2018

Is It Time To Reevaluate Password Policy Best Practices?

New research suggests federal IT leaders should rethink how they manage password security and authentication.

Nobody likes password policies. IT leaders dislike reminding users to yet again change their passwords, then bracing for an onslaught of angry help desk calls. Users dread coming up with yet another obscure combination of uppercase and lowercase letters, symbols and digits that they can remember for the next 90 days. It’s an unpleasant experience all around.

But there’s good news for those frustrated by unwieldy password practices. Cybersecurity professionals are now turning toward new password policy best practices that embrace the end user to make security a natural habit. These ideas are bolstered by recent changes in federal security guidelines related to password management.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Rethink Password Expiration Policies

Cybersecurity professionals across the country are suddenly changing their tune when it comes to password security. After decades of requiring that individuals constantly change passwords, some organizations are abolishing password expirations altogether. This change in password policy is often accompanied by the deployment of multifactor authentication systems, which further bolster security. But regardless of other security measures, evidence suggests that agencies’ security posture may not be improved much by maintaining policies that require frequent password changes.

Computer scientists at Carleton University studied password expiration policies and concluded that the security advantage is “relatively minor at best, and questionable in light of relative costs.” A study of users at Carnegie Mellon University reinforced this finding when it discovered that users who are annoyed by the institution’s password policy are 46 percent more likely to have guessable passwords than their counterparts.

The research also revealed that users who are forced to change their passwords often do so by altering the existing password using a systematic method, such as adding a digit at the end. This technique is unlikely to fool an intelligent adversary.


The first reaction of many IT managers facing the end of password expiration policies is to express concern about regulatory compliance. Agency staff may be surprised to learn that federal guidelines actually support this direction. In June 2017, the National Institute of Standards and Technology released new digital identity guidelines that dramatically alter federal thinking about passwords. The guidelines specifically address password changes, stating that agencies “SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”

Password Policy Best Practices Means Reconsidering What Makes a Password Strong

The NIST guidance on passwords also proposes other user-friendly password requirements. While stating that agencies should continue to require a minimum password length of eight characters, it suggests allowing a maximum length of at least 64 characters. It also requires that agencies check new passwords against lists of known bad passwords, such as those involved in prior compromises.

From there, it delivers advice that will be music to the ears of most users: Agencies “SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters).” Gone are the days of trying to find a way to cram uppercase letters, symbols and digits into short eight- character passwords.

The guideline for maximum password length supports two important security practices. First, it encourages users to adopt easily remembered long passphrases in lieu of traditional short, complex passwords. Second, it encourages the use of password management software designed to allow users to easily create long, complex and unique passwords for each of their accounts.


These software packages provide user-friendly features, such as allowing users to cut and paste passwords directly into applications and even providing automatic login capability for many web-based applications. The packages increase security by removing friction from the authentication process, making it easy for users to do the secure thing.

Password security remains an important component of any agency’s security program. The new views held by cybersecurity experts make password security mechanisms more secure by being user-friendly. Agencies should consider moving away from the onerous practices that encourage users to find security-compromising work-arounds and adopt policies that make secure habits the natural and easy choice.

Oliver Munday

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT