I was chatting to a friend, and they were talking about how their email password for work had to be changed every 28 days and this was causing some of their colleague’s issues as they were shift workers and sometimes their shift pattern may mean they did not work for up to a two week period. The two issues were they may have forgotten the password because they had to change it so often or because they had been away for so long they were not able to reset the password when they logged in as there was a small window to do this and so had to contact IT support for a password change (sounded like a long call and wait)
Whilst I understand that some businesses like to have users change passwords on a regular basis and conform to a set of paraments like minimum length, a combination of upper case and lower case letters, numbers, symbols, and not repeating the last number of passwords used I wonder if this is the best path to take.

Having worked in this sort of environment you get used to people needing password resets as they cannot remember the last password after a weekend (must have been a good one). This in turn reduces productivity. It also encourages people to write their passwords down, often in the back of their desk diary or on sticky notes on their desk, where is the security there, I can remember having to look at a user’s PC and not knowing the password but being able to access by just checking around their desk or even under their keyboard in some cases.

For several years now, the big players in the market have been recommending that we create secure strong passwords for each account and not change them unless we think that they have been compromised.

The reason for this is they have recognized that users suffer from password fatigue, changing your password every 28 or even 60 days becomes an issue when you have to conform to rules like no repeat of the last six passwords, minimum of eight characters, etc.

So, if you make passwords strong, increase the time period between changes, or better still do not require the password to be changed unless it is believed to be compromised, add multi-factor authentication to the account, encourage people to use unique passwords for each website or service, using a password manager can help with this.

So what would I recommend?

A password of 12 characters long but longer is better

A mix of uppercase letters, lowercase letters, numbers, and symbols

Different from your other passwords

Something easy to remember whilst still being difficult for someone else to guess, a good way is to use a memorable phrase but adapt to suit the password requirements like “M4ryH4daL!ttleLam8”

Remember an eight-character password in lower case will be broken by a computer instantly, add an upper case and a number and it takes 1 hour, make it then characters and add a symbol and it will take 5 years

Makes you think !