Making users change their passwords frequently could actually make systems less secure, the UK's information security agency has warned.
Most administrators force users to change their password at regular intervals -- every 30, 60, or 90 days, for example. But this carries no real benefits as stolen passwords are generally exploited immediately, said CESG, the IT security arm of surveillance agency GCHQ.
In a post explaining the thinking behind its recommendation that organisations should stop forcing users to frequently change their passwords, CESG said that we are all suffering from password overload: most password policies force us to use passwords that we find hard to remember, that are as long as possible, and as 'random' as possible.
"And while we can manage this for a handful of passwords, we can't do this for the dozens of passwords we now use in our online lives," it said.
If users are forced to change passwords they will mostly choose something that is a slight variation on the original one, or one that they have used elsewhere, or a weaker one. These behaviours can be exploited, CESG said: attackers can often work out the new password, if they have the old one.
Regularly changed passwords are more likely to be written down (another vulnerability) or forgotten, which means lost productivity for users and a pain for the help desk that has to reset it.
"It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn't, it turns out, stand up to a rigorous, whole-system analysis." CESG said.
Not forcing regular password expiry reduces the vulnerabilities associated with regularly expiring passwords while doing little to increase the risk of long-term password exploitation, CESG added.
According to CESG, the use of compromised passwords is better combated by monitoring logins to detect unusual use and notifying users with details of logins, so that they can report any for which they were not responsible.
CESG is not alone in calling for the end of expiring passwords. Lorrie Cranor, chief technologist at the Federal Trade Commission, made a similar point recently when she said: "Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely."