For several years, I knowingly failed to comply with a corporate policy requiring a password change every few months. Being able to do so was one of the privileges of having been among the first to be tasked with setting technology use policies in a company. When, a short time ago, someone decided those privileges were over and forced me to change my password, I wasn’t worried, because I had forgotten it long ago: a password manager was taking care of it.
It is always good to know you were right all along: Microsoft has now removed the option for obligatory periodic password changes from Windows 10 security guidelines, describing the requirement as “an ancient and obsolete mitigation of very low value”. Forcing people to change their password every few weeks is an absurd and annoying throwback that contributes nothing to security, often leading us to choose bad passwords that are easy to remember or that we write on a post-it stuck to our computer, and is simply what behind-the-times security managers do.
If your company asks you, as part of corporate policy, to change your password every so often, you know what to do. Protest, and back your protest up with documentation. But be careful: not changing one’s password periodically does not mean you can have a simple password and never change it, or use it for everything: instead, what you must do is forget everything you thought you knew about passwords, and get a good password manager that doesn’t bother you with the details and that can change quickly and easily in response to security alerts, even allowing you to monitor it via an extension. In short, there’s no need to change our passwords every so often: they only need changing if there’s been a security problem with some service.
Why use a password manager? Because over time, it’s been shown to be the best form of security. All those myths about “and what if they hack the password manager” have been proven false: passwords are well stored, encrypted and safe, and using them involves, almost always, using strong, long, secure, and different passwords for each service. If you also use two-factor authentication, so much the better.
If you are responsible for your firm’s security and you are still torturing your colleagues with the ridiculous practice of periodic password change, it’s time to rethink things: the best investment in security is to get a corporate license for a password manager, show people how to use it, and apply two-factor authentication.
(En español, aquí)