Published on Jul 18, 2018, updated on Feb 25, 2020

To change or not to change passwords

A lot discussion has been taken recently regarding whether it is wise or not to enforce company security policy by enforcing regular password rotation - meaning forcing employees to change password e.g. every 3 months.

There are many arguments in favour of enforcing such a policy, because "most of people will never use sufficiently strong passwords so they are threat to corporate security."

On the other hand, even some experts argue that it's wrong because "it's difficult to remember strong passwords and so people are forced to write it down somewhere - that is against security."

I've experience with both sides - hacked accounts due to silly weak passwords, but also got frustrated from regular changing passwords in corporate applications.

After all, I figured out best compromise - and I believe this should be generally the right way to apply security policy:

  1. use tool to measure properly password strength (see the list bellow)

  2. for STRONG passwords offer the possibility to extend rotation interval from default 3 months, to optionally 6-9-12-24-OFF months (yes, including turning rotation off). User should be advised about security risks and disabling password rotation should be confirmed twice.

  3. for passwords of MIDDLE STRENGTH, allow extending rotation period from default 3 months to also 6-9-12 months. Don't allow disabling password rotation.

  4. weak passwords should not be accepted, of course.

I believe when the password is like "my1superSecureTIP-TOP:password!" there is no reasong to enforce changing it in 3 months again, it just becomes contraproductive.

UPDATED 02/2020

2x weak password = 1x strong password

Recently I tested new login formular - with additional input field called "Personal key". Personal key would be any string or number that is granted to employee by his organization. I was actually surprised, how well it worked out. Rules are:

  • personal key does not need to be complex - should be actually easy to remember
  • hacking account using brutal force becomes much more difficult with such an additional field. It's not so relevant, that personal key might be a simple string like "mykey123". Important is, that it increases the number of combinations by magnitude.
  • personal key does not need to be necessary unique per employee, could be e.g. unique per department. Of course safest bet would be unique per employee.
  • company can replace personal key any time. So current logins for any employee, or a group of employees, can be any time invalidated.
  • company can define rules for creating personal key e.g. minimum length, department typical string e.g. "hero11" and "hero22" etc.. just like for passwords.
  • with personal key, employees might even use their weak passwords quite safely without enforced password rotation. Combined with personal key together their accidentally weak password would be significantly more secure. Because two weak passwords make actually one strong password together.

The login form looks quite standard - with extra field for personal key.

Your account

Note: Captcha code would start showing up after third failed login attempt on live site.


Libraries for measuring password strength:

Links to similar discussions about enforced password rotation:

Got a question?

Professional development of web applications and custom solutions. Consultancy services.