You may think that constantly changing your password would minimise the likelihood of hackers gaining access to your accounts and ensure your online safety. But some experts are claiming that regularly resetting your password could have the reverse effect.
People Can’t Remember All Their Passwords
The new Head of the National Cyber Security Centre (NCSC), Ciaran Martin, believes the average computer user is being overwhelmed by requirements to change and remember passwords. He recently told the BBC:
“We worked out what we were asking every British citizen to do was to memorise a new 600-digit number every month”
“None of my best people can do that, so we should not be telling other people to.”
He then goes on to note guidance on his centre’s website which says:
“The more often users are forced to change passwords, the greater the overall vulnerability to attack.”
"What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up.”
This vulnerability appears when people are forced to change their password. People often choose a similar password in a bid to try and remember it. This often results in a weaker password or one that is already in use on another platform, meaning it easier to exploit – a study within the Scottish NHS found that 63% of users admit to re-using their passwords.
There’s also the fact that productivity will be affected as new passwords are forgotten and need to be reset, as well as the risk of users writing passwords down on paper so not to forget, yet inadvertently opening them up to unauthorised users logging in to their accounts.
What’s the Solution?
The NCSC is now recommending that organisation do not force regular password resets and expiry dates, but to teach online security to staff instead so ‘sensible decisions’ (such as stronger passwords) can be made. Its Password Guidance advises a more ‘realistic’ approach that lessens the imposed workloads of users, without compromising on security.
The organisation recommends to:
● Change all default passwords
● Only implement passwords where they are truly needed
● Use technical solutions to reduce the burden on staff
● Ensure appropriate storage of recorded passwords
● Implement two factor authentication for all remote access
● Reinforce security policies with detailed online security training for staff
● Notify users when an attempted login is made
At Maytech, we take password security seriously. Our password policies ensure users can only set secure passwords and, with safe storage and two factor authentication (2Fa) available, there will be no need to force regular password resets.