In the past, many organizations implemented stringent password policies, requiring employees to change their passwords every 90 days, with a minimum length of eight characters. This traditional approach was seen as a necessary layer of security in defending against password-related cyber threats. However, modern cybersecurity trends are shifting towards a new approach: longer passwords of 10+ characters, combined with less frequent password changes. Industry standards, real-world examples, and ongoing discussions in the cybersecurity space indicate that the former method may soon become outdated.

Traditional vs. Modern Password Policies

The traditional model for password management in organizations, which mandates frequent changes, stems from a belief that regularly updating passwords minimizes the chances of password-related breaches. The PCI DSS (Payment Card Industry Data Security Standard) has historically mandated regular password changes for environments handling sensitive financial information. Similarly, the ISO/IEC 27001 standard, a widely accepted information security framework, also advocated for password policies requiring regular updates.

However, while frequent changes make sense in theory, they often lead to undesirable consequences in practice. Many users, faced with the burden of remembering numerous passwords, resort to weak password creation strategies, such as slight modifications to existing passwords, writing down passwords, or even using easily guessable patterns. This significantly undermines the strength of password security.

On the other hand, recent guidelines, such as the NIST Special Publication 800-63B, suggest a shift toward long, complex passwords with less frequent changes. NIST recommends using passwords that are at least 8-12 characters long, with a preference for even longer passwords, and advises that passwords only need to be changed if there is evidence of compromise. This new approach reduces the frustration on users while maintaining strong security, as a longer password is much harder to crack through brute-force attacks.

Industry Standards Supporting Long Passwords

Industry standards have evolved to reflect the benefits of longer passwords and less frequent changes. NIST’s guidelines, which are influential in the cybersecurity community, explicitly reject the frequent password change policy unless there is a suspected compromise. ISO/IEC 27001 has also started acknowledging that password length is more critical than password rotation.

The PCI DSS has remained more cautious but is slowly adapting to similar trends, particularly in environments where multi-factor authentication (MFA) is in place. MFA provides an additional security layer, making the need for frequent password changes less pressing.

Real-World Adoption of New Trends

Many large organizations have already embraced the shift toward longer passwords with infrequent changes. For instance, Microsoft stopped recommending regular password changes in 2019, aligning its policies with NIST guidelines. They recognized that frequently changing passwords was more likely to harm than help security, as users were more inclined to create weaker passwords when forced to remember new ones every few months.

Similarly, Google has been at the forefront of password policy evolution, pushing users towards stronger, longer passwords while also encouraging the use of MFA and password managers to simplify password management.

Another example is the UK’s National Cyber Security Centre (NCSC), which recommends that organizations focus on password length and complexity, only requiring changes when evidence suggests a compromise. This approach aligns with the growing consensus that security can be improved by addressing password strength rather than frequency.

Why the Change Matters

Longer passwords with less frequent changes reduce the cognitive load on users while providing a robust defence against attacks such as brute-force attempts. Length is a critical factor in password strength, and attackers require significantly more time and resources to crack a long password. Furthermore, when users are not burdened with frequent password changes, they are less likely to take shortcuts like reusing or creating easily guessable passwords.

As organizations continue to adopt this modern approach, the pressure on users decreases, security improves, and the likelihood of password breaches decreases significantly. However, it's essential that these policies are coupled with other security measures, such as MFA, to provide a layered approach to cybersecurity.

Do you prefer a long password that you change less often, or do you feel more secure changing your password frequently? Why? Join the discussion on Discord or WhatsApp (Yaksas Cybersecurity Infoshare).