Sorry. This form is no longer accepting new submissions.

Enterprise Password Best Practices: stop changing your passwords

Blog /

When it comes to password policies, many organisations still cling to the age-old advice of “change it often and make it complex.” But times have changed. The latest security guidelines (from the likes of Microsoft, NIST, and the National Cyber Security Centre) encourage a shift in approach: long, word-based passwords and multi-factor authentication (MFA) – without the constant, annoying reset reminders.

Rethinking Password Policies

1. Avoid Unnecessary Password Changes

Regularly changing passwords can lead to weaker security, as users may resort to predictable patterns. Microsoft advises against mandatory periodic password resets, stating:

Periodic password expiration is an ancient and obsolete mitigation of very low value
Microsoft

2. Embrace Long, Memorable Passphrases

Instead of complex, hard-to-remember passwords, opt for longer passphrases composed of random words. This approach enhances security while being user-friendly. The UK’s National Cyber Security Centre (NCSC) recommends using three random words to create strong passwords. NIST state:

“One of the most notable changes is NIST’s stance on password complexity. Contrary to long-standing practices, NIST no longer recommends enforcing arbitrary password complexity requirements such as mixing uppercase and lowercase letters, numbers, and special characters. Instead, the focus has shifted to password length as the primary factor in password strength.”

3. Implement Multi-Factor Authentication (MFA)

Adding an extra layer of security through MFA is crucial. It requires users to provide two or more verification factors, significantly reducing the risk of unauthorised access. Microsoft strongly recommends enabling MFA for all users.

Common password policies
The overriding device is to only enforce password changes if you suspect the account is compromised. In all cases, MFA is recommended (for obvious reasons!)

4. FIDO2

For businesses looking to take password security a step further, FIDO2 is an advanced, passwordless authentication standard designed to simplify login while providing robust security. With FIDO2, users authenticate with a physical device, such as a security key or biometric system, eliminating the need for traditional passwords altogether. This approach is highly secure, as it relies on unique cryptographic keys and is immune to phishing attacks. (FIDO2 also works great with conditional access)

benefits of FIDO2

Passwordless Convenience: Users can log in without remembering complex passwords.
Increased Security: Resistant to common threats like phishing and credential theft.
User-Friendly: Easy for employees to adopt, especially when combined with biometrics or hardware tokens.

Why These Practices Matter for Small Businesses

Small businesses are increasingly targeted by cybercriminals due to perceived vulnerabilities. Implementing these best practices can fortify your defences without imposing undue burdens on your team.

Key Actions

Discontinue Routine Password Expirations: Unless there’s evidence of compromise, avoid enforcing regular password changes.
Promote the Use of Passphrases: Encourage employees to create long, memorable passphrases.
Mandate MFA Across the Organisation: Ensure all accounts are protected with multi-factor authentication.

By adopting these strategies, you can enhance your organisation’s security posture while simplifying the user experience.

Links

https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
https://cybersecuritynews.com/nist-rules-password-security/

Related Posts

Scroll to Top