Password Policy: Should I Change my Passwords Regularly?

Once every 39 seconds, a hacker attacks a computer with internet access.^[1] Corporations are oftentimes a target of these attacks, because of the non-secure usernames and passwords chosen and used by employees. Recent studies show that nearly 25% of employees reuse the same password for all of their accounts.^[2] Furthermore, 81% of employees who reuse the same credentials do not utilize passwords on their desktops or smartphones.^[3]

Dropbox, one of the largest file hosting services offering cloud storage, had a now-infamous data breach in 2012. The breach led to over 68 million usernames and password being leaked to the internet. At the time, the company announced that usernames were compromised; however, in 2016, the company sent out notifications to all of its users prompting anyone who had not changed their password since 2012 to do so as well.[4] The original breach is thought to be the result of one of Dropbox’s employees reusing a password they had also used on LinkedIn - which also suffered a large security breach. Breaches likes these can be very costly to organizations. Ransomware, a type of malicious software, is designed to block access to a computer system, or hold information, such as user credentials, hostage until a sum of money is paid. Ransomware is expected to cost businesses and organizations $11.5 billion in 2019 alone.^[5] So, should we be changing our passwords all of the time?

Attackers who have gained access to passwords can run large numbers of passwords in a short amount of time, meaning weak- and medium-strength passwords are at a greater risk. For a password to be strong, it should have a minimum of 12 characters and include a mix of number, symbols, capital letters, and lower-case letters. Additionally, a password should not be a dictionary word or even a combination of dictionary words. Also, common substitutions, such as using a zero for the letter “o” is obvious as well. Studies show that nearly 75% of internet users know these tried and true rules to creating strong passwords, but unfortunately, continue to implement poor password practices anyways because of the inconvenience.^[6] Furthermore, 91% of people understand the risk of reusing passwords, however 61% continue to do so anyways.^[7] So what should be done?

One possible remedy is to implement system controls that enforce rules for an acceptable password by use of an identity and access management system (IAM).^[8] A company could force longer passwords, recognize keyboard patterns or walks (e.g. qwerty), block the use of dictionary words or repeated passwords, etc. If psychology shows that users will use bad password practices despite knowing the risks, forcing good password practices may be necessary.

Additionally, a Carleton University research paper suggests that an organization’s administrators should use what are called “slow hash functions.”^[9] Hash algorithms are one-way functions that turn any amount of data into a fixed-length “fingerprint” that cannot be reversed. Furthermore, these functions have the ability to create a hash that is completely different if the input changes at all. Hence, they are ideal for protecting passwords. Additionally, employees would not be inconvenienced by frequent required password changes.

So, does your company require regular password changes or have best password practices? Comment below; we want to hear from you!

^[1] “13 Alarming Cyber Security Facts and Stats.” Cybint, 5 June 2019, www.cybintsolutions.com/cyber-security-facts-stats/.
^[2] “Poor Password Practices Put Corporate Cybersecurity at Risk.” Security Intelligence, securityintelligence.com/news/poor-password-practices-put-corporate-cybersecurity-at-risk/.
^[3] ibid.
^[4] Gibbs, Samuel. “Dropbox Hack Leads to Leaking of 68m User Passwords on the Internet.” The Guardian, Guardian News and Media, 31 Aug. 2016, www.theguardian.com/technology/2016/aug/31/dropbox-hack-passwords-68m-data-breach.
^[5] Mardisalu, Rob. “14 Most Alarming Cyber Security Statistics in 2019.” TheBestVPN.com, 15 May 2019, thebestvpn.com/cyber-security-statistics-2019/.
^[6] “[INFOGRAPHIC] Introducing The Psychology of Passwords.” The LastPass Blog, 6 Dec. 2016, blog.lastpass.com/2016/09/infographic-introducing-the-psychology-of-passwords.html/.
^[7] Ibid.
^[8] “It's Time for Users to Pony Up and Quit Reusing Passwords.” Security Intelligence, 1 Mar. 2017, securityintelligence.com/its-time-for-users-to-pony-up-and-quit-reusing-passwords/.
^[9] “Salted Password Hashing - Doing It Right.”, crackstation.net/hashing-security.htm#normalhashing.