There is a lot of opinions (or misconceptions as we like to call it) regarding password enforcement policies. I'm sure you've been a victim of the terror with monthly password resets. It's a common routine at bigger corporations to keep their platform secure. Well, is really changing the password monthly always a good solution?
No. By enforcing people to reset their passwords we slowly push them to start a password routine by making special types of their password, and not making them really more secure.
Does "Apple", "Apple1", "Apple1@" sound familiar? Well, depending a bit on the password policy and re-use algorithm, users can usually have these kind of passwords and simply extend them for each time they have to make a new password.
Not to mention the IT Security Teams dealing with the older generations who don't remember their monthly password and resolves it by starting to type it on a notepad beside their keyboard, making the password more or less "obsolete".
How can we stop the madness? Let's get started!
Good detection for leaked passwords are a good start.
1/4 UK workers used their personal password at work related (http://www.itpro.co.uk/security/27720/1-in-4-uk-workers-reuse-personal-passwords-at-work). Yeah, that is 25%(!) of all employees in the UK. This poses a huge risk against every organization, as leaked passwords from non-related services that their employees are a part of might cause a risk. Not to mention that many people tend to use their corporate email for personally related services, this increases the risk of the attacker actually using the leaked information against the company.
To mitigate this risk, a good way would be to use the Pwned Service (https://haveibeenpwned.com) from Troy Hunt to regularly check for leaked accounts that match your organization. But of course, it would never hurt to try to get your employees to have work related passwords separated from their personal ones.
Increase the password expiration.
Instead of expiring passwords monthly, bi-monthly or even quarterly. Why don't do it every half year or (bear with me. Yes, we spellchecked that one) even yearly. Given the organization has good mechanisms in place to handle their employees and data leaks, this should not pose a very big security threat.
This can include reseting passwords for employees after work trips and other more exposed usage of their credentials. By doing this we eliminate the high risk factors and don't really give ourselves a good reason to just reset the password on a monthly basis.
Decent password requirements.
Don't make the requirements ridiculously hard, it's proven that the length of password are more important (https://resources.infosecinstitute.com/password-security-complexity-vs-length/). Let's not make it to hard for the users to remember their own passwords.
Instead of hard complexities the requirements should check for common phrases, as well as forcing the user to give the password a good length. By doing that and having a number or two + a symbol you should be more that good.
Nothing speaks better than an illustration:
Thanks for dropping by!