Industry executives and experts share their predictions for 2020. Read them in this 12th annual VMblog.com series exclusive.
By Ted Ross, CEO and co-founder, SpyCloud
The Death of the Password Rotation Policy
Periodic Password Changes Go
from Precautionary to Precarious; Frustrating for Users and Counterproductive
for Security
The standard 90-day password
change policy has long been an accepted industry best practice for keeping
enterprise networks safe from harm. Only a small inconvenience to the user,
changing login credentials at a regular frequency promised to provide
protection from threats and breaches that could wreak havoc on business. While
this approach may have kept criminals guessing in the past, continuing to rely
on this dated approach to password management is detrimental to your security
posture.
Today, the average internet user
has logins for ~200 sites. It's no surprise that most people just use the same
(or a variation on the same) password across multiple sites and accounts. When
users are put on the spot to come up with a new password every three months,
the desire to reuse or tweak one from the past is understandably strong. The
problem? The more often people change their passwords, the higher the chances
of them using one that is already exposed. And criminals are waiting patiently
to try their list of compromised passwords every ninety days - again and again
until they successfully take over the account. Because of this, the
forced 90-day password rotation actually plays into the hands of the criminal.
So, what's the safe bet for the
enterprise? Only force a password change when a user's password has
been compromised. Drop the regularly scheduled password changes
and use an automated ATO prevention product to securely check employee
passwords against a regularly updated corpus of exposed passwords. Using
this approach, users will only be required to change passwords when
necessary. It's much less annoying than forced password rotation policy
and it's much safer.
"I love arbitrarily rotating my
password," said no one ever. And this year, we are finally seeing the policy
being questioned. We expect that in 2020 we'll continue to see enterprise
security teams happily moving away from this decrepit security policy.
##
About the Author
Ted Ross, CEO and co-founder,
SpyCloud
Ted
Ross is an a veteran of twenty-nine years in the network and security
industries. Ted started his
career in the U.S. Air Force and later became strategy architect at Walmart,
executive technology director at TippingPoint and VP of the Office of Advanced
Technology at HP. While at HP, he created a new HP Security Research team and
built HP's threat intelligence practice from the ground up. This team created
reports on nation state threat groups that, at the time of publication, were
considered to be the most comprehensive reports on select adversarial nation's
cyber capabilities. After HP, Ted led Exodus Intelligence as CEO and, in late
2016, launched SpyCloud as CEO and co-founder.