18

I am using a password manager, and have optimized all my passwords so they are complex, long, and unique.

I am wondering if there are any guidelines as to if I should still change my passwords from time to time and if so, how often.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Python Developer
  • 283
  • 2
  • 6
  • It depends on who you are defending from, and the sensitivity of the access that each password is protecting. – multithr3at3d May 30 '18 at 17:53
  • 2
    The only guidelines out there will tell you to change it much more frequently then you need to. If they really are "complex, long, and unique" then nobody is going to guess them. Attackers will go for the low hanging fruit and guess somebody else's password. – President James K. Polk May 30 '18 at 18:01
  • 3
    Long answer: it depends. Short answer based on some assumptions: almost never. You will *always* want to change after a breach, and any decent service provider will do a forced password reset after breaches. – Jared Smith May 30 '18 at 18:02
  • Is this a duplicate of [How often should passwords change?](https://security.stackexchange.com/q/34985/79319) – WBT Jul 05 '19 at 12:54

2 Answers2

23

In the new NIST guidelines (US National Institute of Standards and Technology), there are now some rather surprising reversals of guidance on several areas of password management. According to this article from Sophos' Naked Security blog, automatic or periodic password aging is no longer recommended by the new guidelines; rather, the article says:

The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

The only other reason to change passwords on a schedule is to comply with outdated policies which are resistant to change, such as the PCI DSS requirements regarding passwords:

8.2.4 Change user passwords/passphrases at least once every 90 days.

This is not a security issue but a compliance issue. When faced with a regulation which essentially has the force of law, compliance unfortunately must trump security.

Mike McManus
  • 1,415
  • 10
  • 17
4

NIST Special Publication 800-63b: Digital Authentication Guidelines

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

NCSC official guidance:

The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation.

The problem is not with keeping passwords for a long time, but rather the weaknesses introduced when creating new ones. So, if you are using a randomised method of password generation, you could gain benefit from refreshing passwords periodically.

But there are no official guidelines on how often that should be when you create maximally complex passwords because the risks are just too low. When you add in 2FA, then the risks are lower still.

The guidelines you need then are based on the risks that you identify. If you feel that the service you are authenticating to stores passwords in plaintext, is hacked often, and stores data that is critical to you, then you might want to change your passwords quite often, no matter what the official guidance says.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • I think you meant: "So, if you are **not** using a randomised method of password generation, you could gain benefit from refreshing passwords periodically."? – Lie Ryan May 31 '18 at 00:00
  • @LieRyan This is a late response but no, the original text is correct. If you use random generated passwords, there's no risk that a forced password change makes you reuse other passwords, which decreases security. – alexia Jan 21 '19 at 18:13