To change or not to change passwords
A lot discussion has been taken last few years regarding whether it is wise or not to enforce company security policy by enforcing password rotation (usually) every 3 months.
Camp #1 shouts "Yes, it's the right way, because people will never use strong passwords and their accounts is easy to guess."
Opposite camp #2 shouts "No, it's wrong, because it becomes impossible to remember strong passwords in a time - so people are forced to write it down somewhere .. security compromised!"
I've experience with both sides - hacked accounts due to silly weak passwords, but also got frustrated from regular changing passwords in corporate applications.
After all, I figured out best compromise - and I believe this should be generally the right way to apply security policy:
use tool to measure properly password strength (see the list bellow)
for STRONG passwords offer the possibility to extend rotation interval from default 3 months, to optionally 6-9-12-24-OFF months (yes, including turning rotation off). User should be advised about security risks and disabling password rotation should be confirmed twice.
for passwords of MIDDLE STRENGTH, allow extending rotation period from default 3 months to also 6-9-12 months. Don't allow disabling password rotation.
weak passwords should not be accepted, of course.
I believe when the password is like "my1superSecureTIP-TOP:password!" there is no reasong to enforce changing it in 3 months again, it just becomes contraproductive.
Here's list of few libraries for measuring password strength:
- DEMO - measure password strength
- my own implementation - https://github.com/lubosdz/simple-js-password-checker
- PHP REGEX password safety
- Yii2 password safety checker
- composer password strength validator
- JS / CSS password strength meter
- JS / CSS animation Password strength meter - see DEMO at bottom
- JS / CSS sample at jsfiddle.net/HFMvX/
- Rumkin JS strength calculator
- stackoverflow.com - password strength meter
And a few links to what has been written on the topic by renowned authorities:
- Microsoft admits expiring-password rules are useless
- Want Safer Passwords? Don't Change Them So Often
- Why Changing Your Passwords Often May Be a Waste of Time