Why Enforcing Regular Password Expiration is a Bad Practice

Why Enforcing Regular Password Change is a Bad Practice

Until recently, many “traditional” security best practices suggested that enforcing regular password expiration for computer user accounts, was a good security practice and that it contributed to more secure computer system environments.

Based on these practices, many organizations, after a fixed number of days, prompt their computer users to change their passwords.

However, recent studies suggest that the enforcing regular password expiration, apart from causing frustration to the users, it is also a bad practice and has a negative impact to the overall security of systems. The main argument is that the enforcement of regular password change via expiration, increases the risk of having users that use passwords similar to the old ones, in order to remember them. This creates a weakness which could be potentially exploited by attackers.

To this end, more modern approaches should be followed that take into consideration the new realities. One such reality is that, nowadays, the majority of people need to remember a large number of passwords and not just one. People need to remember passwords that have to do not only with the workplace, but also with many other things like: social media, online services, etc.

Why Enforcing Regular Password Expiration is a Bad Practice - Article on TechHowTos.com

So, for example, instead of blindly enforcing password expiration, a new more user-friendly policy could monitor systems for failed login attempts, and based on a given logic, to prompt the affected user for changing her password. Also, systems could display for each end-user her last login date and time in order to review it and if there is a suspicion for unauthorized access, the user to contact the System Administrator for assistance.

Another good practice is to use account lockout in all systems. For example, when a user tries to login “x” times during an “y” period of time, the user account to be automatically locked for a “z” period of time along with informing the System Administrator.


SQL Server Fundamentals (SQL Database for Beginners) - Online Course



The above, are only a few examples of suggested modern security best practices. The main concept, is to realize that along with technological evolution, user habits change as well thus forming new realities. These new realities must be taken into consideration when writing new security best practices documents, in order for these practices to have a real chance to be fully adopted by users.

In the opposite case, it is highly likely that users will find ways to make their life easier, independently of any best practices, thus causing weaknesses in the affected systems.

Learn more about security and other interesting stuff on our eBook: “Tech How To’s Vol. 1

Tech How To's Vol. 1 - Technology eBook by Artemakis Artemiou


Useful Note: If you are working with SQL Server security and multi-server administration, then you’ll find this tool useful.


Rate this article: 1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 5.00 out of 5)


Reference: TechHowTos (https://www.techhowtos.com)

© TechHowTos.com


Share this!
About Artemakis Artemiou 27 Articles
Artemakis Artemiou is a Senior SQL Server and Software Architect, Author, and a former Microsoft Data Platform MVP (2009-2018). He has over 15 years of experience in the IT industry in various roles. Artemakis is the founder of SQLNetHub and TechHowTos.com. Artemakis is the creator of the well-known software tools Snippets Generator and DBA Security Advisor. Also, he is the author of many eBooks on SQL Server. Artemakis currently serves as the President of the Cyprus .NET User Group (CDNUG) and the International .NET Association Country Leader for Cyprus (INETA).