Good morning everyone! I'm reaching out for some advice regarding my workplace's password policy. We have to change our passwords every 30 days, and they need to be complex. Recently, two of my coworkers changed their passwords and ended up forgetting them. I'm thinking of bringing a complaint to my manager and our IT team about how complicated these passwords are. I'm looking for data or evidence showing that longer passwords, which are changed less frequently (like once a year or only after a security breach), are actually more secure than these overly complicated and frequently changing passwords, like 'B!c3n+en!@L'. Some team members are older and not very tech-savvy, and they're already resorting to writing their passwords down. Any help would be greatly appreciated!
5 Answers
You might want to check out the NIST guidelines. As of late last year, they state that organizations should not force users to change their passwords at set intervals like 30 days. They recommend only changing passwords when there's a known compromise. This could be solid support for your complaint!
There are tons of articles out there discussing the downsides of forced password changes. A quick Google search should yield a lot of useful references to support your argument. Just be sure to look for reputable sources!
It sounds like passphrases could be a great solution for you. They allow for longer, more memorable passwords without needing to be super complicated. Consider getting your IT team to switch to passphrases with fewer complexity requirements—it could work wonders!
Your IT department might already be aware that password expiration policies are mostly outdated, but they're just following old regulations to stay compliant. It might help to shine a light on that in your discussion with management.
Have you thought about passwordless authentication methods like biometrics or password managers? That could save time and eliminate the need for tricky passwords altogether. It's definitely becoming more popular!
Yeah, but not all companies are ready for that yet. It’s worth mentioning, though, since it could change the conversation.
I've tried it, and it really does help keep things simple and memorable without compromising security.