Virtualization Technology News and Information
SpyCloud 2020 Predictions: The Death of the Password Rotation Policy

VMblog Predictions 2020 

Industry executives and experts share their predictions for 2020.  Read them in this 12th annual series exclusive.

By Ted Ross, CEO and co-founder, SpyCloud

The Death of the Password Rotation Policy

Periodic Password Changes Go from Precautionary to Precarious; Frustrating for Users and Counterproductive for Security

The standard 90-day password change policy has long been an accepted industry best practice for keeping enterprise networks safe from harm. Only a small inconvenience to the user, changing login credentials at a regular frequency promised to provide protection from threats and breaches that could wreak havoc on business. While this approach may have kept criminals guessing in the past, continuing to rely on this dated approach to password management is detrimental to your security posture.  

Today, the average internet user has logins for ~200 sites. It's no surprise that most people just use the same (or a variation on the same) password across multiple sites and accounts. When users are put on the spot to come up with a new password every three months, the desire to reuse or tweak one from the past is understandably strong. The problem? The more often people change their passwords, the higher the chances of them using one that is already exposed. And criminals are waiting patiently to try their list of compromised passwords every ninety days - again and again until they successfully take over the account.  Because of this, the forced 90-day password rotation actually plays into the hands of the criminal.

So, what's the safe bet for the enterprise? Only force a password change when a user's password has been compromised. Drop the regularly scheduled password changes and use an automated ATO prevention product to securely check employee passwords against a regularly updated corpus of exposed passwords. Using this approach, users will only be required to change passwords when necessary. It's much less annoying than forced password rotation policy and it's much safer.

"I love arbitrarily rotating my password," said no one ever. And this year, we are finally seeing the policy being questioned. We expect that in 2020 we'll continue to see enterprise security teams happily moving away from this decrepit security policy.


About the Author

Ted Ross

Ted Ross, CEO and co-founder, SpyCloud

Ted Ross is an a veteran of twenty-nine years in the network and security industries. Ted started his career in the U.S. Air Force and later became strategy architect at Walmart, executive technology director at TippingPoint and VP of the Office of Advanced Technology at HP. While at HP, he created a new HP Security Research team and built HP's threat intelligence practice from the ground up. This team created reports on nation state threat groups that, at the time of publication, were considered to be the most comprehensive reports on select adversarial nation's cyber capabilities. After HP, Ted led Exodus Intelligence as CEO and, in late 2016, launched SpyCloud as CEO and co-founder.
Published Friday, October 25, 2019 7:46 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2019>