Table of Contents
How often should passwords be changed?
In honor of world "More Than A Password Day,” which was recently announced by Nonprofit Cyber, we wanted to dedicate a blog to their mission of encouraging stronger online security for individuals and organizations alike...and that includes answering one of the web's most-asked questions.
Let's get started:
Why Passwords Are Not Secure
Firstly, why are passwords not secure? Why is there so much talk surrounding how, when, and why to change them?
Passwords have three core pitfalls:
They can be guessed
They can be stolen
They can be broken into
One reason for this is that a staggering 62% of professionals use the same password for more than one service; this means that, if one account is hacked, all others are now at significant risk. Other cyber hygiene habits that put passwords at particular risk include, but aren't limited to:
People sharing passwords over insecure networks
Threat actors having the ability to brute-force or guess "weak" passwords
Public Wi-Fi being a common way of hackers gaining access to passwords
The prevalence of phishing emails and fake websites that utilize social engineering and other tactics to glean passwords
Keylogging software that can steal passwords
The concept of a password was invented in the 90s, and the premise of passwords is simply something complex that we must memorize.
The Dangers of Periodic Password Changes
When it comes to how often passwords should be changed, the answer is typically: "Frequently."
However, that is misleading. As we detail in our blog counterpart, "Periodic Password Changes", the NIST does not suggest frequently changing passwords; instead, they recommend enforcing what's known as a password list.
Also known as a password deny list, banned password list, or password dictionary, such a list contains password values known to be commonly used or compromised. Organizations can use this list to block weak, insecure, and vulnerable passwords and their variants from being used by employees.
The NIST recommends adding all of the below to your organization's banned password list:
Repetitive characters (e.g. 999)
Sequential characters (e.g. 1234 or abcd)
Context-specific words (e.g. username)
Passwords from previous breaches
With password lists like Azure AD Password Protection, security teams can create a custom banned password list to block organization-specific weak terms that may lead to a compromise of their networks or systems.
The Importance of Knowing How Often Passwords Should Be Changed (or Fortified)
World "More Than A Password Day” strives to do more than just raise knowledge about the cyber risk associated with poor password habits; it strives to kickstart action across organizations. Rather than simply asking, "How often should passwords be changed?", cybersecurity firms around the world want to shift the conversation to: "What can my organization do to fortify our passwords?"
With a staggering 80% of data leaks in 2023 alone caused by weak or lost passwords, the need for strong passwords has never been more dire. This is backed by:
Only 17% of small businesses globally having cyber insurance, with 48% not purchasing it until after their first cyberattack
62% of SMBs reporting that they store customer data that an attack could compromise
The average organization taking 286 days to identify and contain a breach
82% of data breaches containing a human element
There being 75x more phishing sites than malware sites in 2023
CEOS being targeted 57x year on average by social engineering threats
“Cybersecurity fatigue” impacting a reported 42% of organizations
Every 39 seconds, a threat actor targeting a business’s cybersecurity infrastructure
Nonprofit Cyber has put out their guide, "Protecting Your Accounts and Devices: Common Guidance on Passwords", as part of the first world "More Than A Password Day” rollout. Over 90 organizations from around the globe, including CREST and others that are part of the Nonprofit Cyber alliance, have endorsed this advice.
5 Ways to Strengthen Your Passwords
Lastly, here are the top five ways we here at Packetlabs recommend you fortify your existing password protocols:
Use Password-Free Authentication: We advise opting for passwordless authentication, such as passkeys. Passkeys are not only more straightforward to use, but also more secure than traditional passwords
Secure Your Email Account: If employees are using password authentication for email accounts, follow the best practices for passwords and enable multi-factor authentication
Add an Extra Layer of Security: Employ a hardware security key, authenticator app, or PIN via SMS as a “second factor” in addition to your password
Use a Password Manager: A password manager can help you create and store strong passwords for all your online accounts, especially for teams that work remotely
Change Passwords in the Wake of a Data Breach: Promptly change passwords if your devices are compromised or an online service you use is hacked. Avoid reusing passwords
When in doubt, we recommend basing your password policies off of the math behind what makes a strong master password.
When it comes to the question of, "How often should passwords be changed?" we're grateful to Nonprofit Cyber for launching #WorldPasswordDay and shining a spotlight on this commonly-misunderstood topic.
However, fortifying passwords is most effectively paired with other cybersecurity efforts. Here at Packetlabs, we execute these via a variety of potential methods:
DevSecOps: DevSecOps is integrated early in your development cycle and acts as an extension of your development team to flag vulnerabilities within your existing detected management systems
Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization
Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with your internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts
Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of your cybersecurity strategy. As the first step in strengthening your security posture, this assessment generates the roadmap to strengthen your overall security program
Compromise Assessments: A Compromise Assessment uncovers past or present threats like zero-day malware, trojans, ransomware, and other anomalies that may go unnoticed in standard automated vulnerability scans
OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing
Ransomware Penetration Testing: A ransomware penetration test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack
Cloud Penetration Testing: Multiple perspectives help with strengthening your security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle
Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that you can discover gaps and vulnerabilities unique to your organization and test your ability to detect and respond to threat actor
Application Security Testing: More targeted in scope than a regular pentest, application security testing uncovers vulnerabilities residing in your web and mobile apps. Application Security Testing actively explores your application from an attacker’s perspective
Infrastructure Penetration Testing: An infrastructure penetration testing assessment uncovers vulnerabilities in your IT and network systems and provides a tailored approach to each environment
These are in addition to the Packetlabs Portal, which lets you quickly view findings, prioritize efforts, request retests after remediation, and monitor progress.
Looking to take the next step in strengthening your organization's security posture, or seeking further cybersecurity-related consulting? Reach out to our team today for your free, zero-obligation quote.
Download our Free Buyer's Guide
Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial. Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.