Do you have a password policy that is wrong

What if I say that everything IT does about passwords is wrong! It does not matter how secure you make a user’s password initially, the user will eventually choose their own password.

In your password policy, do you include:

  • Periodic Password Changes
  • Enforce Password History
  • Impose password complexity
  • Mandatory validation of newly created passwords

If you have some of these in your password policy, you might need to rethink your policy. Let me explain why:

Periodic password changes

If you use a Maximum Password Age that determines how long users can keep a password before they have to change it, you can use a shorter period when security is very important and a longer period when security is less important. Minimum Password Age determines how long users must keep a password before they can change it. You can use this field to prevent users from bypassing the password system by entering a new password and then changing it right back to the old one.

It’s known in the IT industry that periodic changes do not improve password security but only make it worse and put stress on your IT Support team. Security breaches are continuing and many users suffer from password fatigue.

Enforce Password History

How frequently old passwords can be reused. If the frequency is 10, the user can not use the same password 10 consecutive times and try to discourage users from alternating between several common passwords.

Sophisticated users can work around the Enforce Password History settings, by changing their password repeatedly, to wipe the history and get back to the old password.

Less sophisticated users may use the same password for many services, so if they use a corporate password on a noncorporate website, and that web site gets hack, the hackers can then get details on the users.

The hacker then can figure out where the user work, where they bank, and then try the password they obtained from the hack to get into these services. As they can have a bot, the hacker plays cool, wait it out while the periodic password changes play out.

Impose password complexity

No more imposed password complexity (like requiring a combination of letters, numbers, and special characters). This means users now can be less “creative” and avoid passwords like “Password1$”, which only provide a false sense of security. The password complexity does not make much difference, then just weeding out Less sophisticated users or/and lazy users from using the most common passwords.

Mandatory validation of newly created passwords

Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords. Users will be prevented from setting passwords like “password”, “12345678”, etc. the hackers can easily work around this as it’s easy to guess if there is a password validation in place.

Why do we not need these policies anymore

Technology evolution makes us not to rely on a password only to login into various online services, the most significant technology change in protecting access to system and services are two-factor authentication (2FA).

2FA supposedly pushes the password problem to the background, 2FA requires a second factor like “something you have” (hardware token, mobile phone) or “something you are” (usually biometrics such as fingerprint or face recognition).

Using 2FA, why should I care about my password, I could use the same password for all my online services, on every account that is protected by 2FA. That is just an assumption as 2FA is reliable only when both factors are secure. So, you need still to have different passwords, for different online services.

What users should do with their passwords

Users should get a password management software, with that they only need to remember one password to login to the password management software, which then unlocks “password vault”, so they don’t have to worry about all the complexity rules or frequent password changes.

If you have a good password manager, the software will generate, store, and enter a secure random password every time users need one. However, there are still scenarios when we cannot use a password manager (unlocking your phone, your computer for example).


The National Institute of Standards and Technology (NIST) has recently released a draft Digital Identity Guideline of new guidelines for password management. The guideline is interesting in that passwords are here to stay for a while, if not forever, and millions of people around the world will appreciate even small improvements in user experience and security.

Although NIST’s rules are not mandatory for nongovernmental organizations, they usually have a huge influence as many corporate IT security professionals use them as base standards and best practices when forming policies for their companies.

In my opinion, as an organization, if you can use one ID to login to a portal and then do SSO to all the services you need to use at work, and protect your ID’s password with a password manager and 2FA you have a solid ground.

Your portal could be Google G Suite and all you need is your Google ID and with 2FA (Enable 2FA in G Suite) which is very easy to set up in Google with the Google SAML SSO app (how to setup SAML SSO for WordPress), you would have a very cost-effective solution.

As always, I like to hear your view. Feel Free to comment below.





Leave a Reply

Your email address will not be published. Required fields are marked *