Is your business employing outdated password policies? Security experts have weighed in on the value of mandatory password updates and found that they aren't doing much to protect you or your business.
With data breaches becoming part of everyday life for businesses around the world, it's safe to say that bolstering cybersecurity has become a priority for many. After all, a single breach can cost businesses, on average, around $10 million, which means that investing in security is good for your bottom line.
Still, there's a lot of misinformation out there about what the best way to do that is, and we're here to make sure you've got the right information when it comes to protecting your business.
Mandatory Password Updates Don't Help
In July, Microsoft released password policy recommendations for users of Microsoft 365. Within the blog post on the company website, some choice words about mandatory password updates were said that might make you rethink your company's policy:
“Password expiration requirements do more harm than good.”
The post goes on to explain that making employees change their passwords on a certain schedule doesn't help because it makes users “select predictable passwords, composed of sequential words and numbers that are closely related to each other.” Hackers are decidedly adept at guessing easy-to-use passwords like “123456” — which remains the most popular password for the average user — so it's better to encourage your team to come up with long, difficult-to-guess passwords and stick with them.
As for why these policies are still in place, the Washington Post interviewed an assortment of security experts to weigh in on the policy and why they think some companies are still employing this outdated ideology:
“I think people are worried, ‘Oh, if there's a security breach, and I'm not doing all the things that other people are doing, I could get in trouble as a security administrator, and so if other people are doing it, therefore I should do it, too.'” – Lorrie Cranor, director of CyLab Security and Privacy Institute at Carnegie Mellon University
When You Should Change Your Password
Now, we're not saying to never change your password obviously, but arbitrarily requiring employees to change their password on a timely basis is clearly not helping, so we'd recommend scrapping that policy if your business has it in place. Sure, there are times when you should change your password, but it won't be on a set schedule.
The most important time to change your password is when your data has been compromised. Unfortunately, your average employee is likely not plugged into the dark web to know if their passwords have been compromised, so how will you know when to change it?
Fortunately, most password managers nowadays offer this service. The best ones will alert you when you have a compromised password, and will encourage you to change it, walking you through the steps to a more secure device.