Gedanken zum internationalen "Ändere dein Passwort" Tag

It's that time again. The international "change your password" day has arrived, and users are encouraged to rotate their passwords. But is that even necessary anymore? Our IT security expert Tobias Philipsen has some thoughts on the topic of password rotation. So find out if you should change your password today in this blog post.

In general, it is good that users are informed about the importance of passwords. Unfortunately, the passwords "123456" and "password" are still in the top ten most used credentials worldwide. So, one could argue that users with an awareness of IT security are less likely to use an insecure password. Moreover, there is nothing wrong with a changed password per se. Especially for accounts with high privileges, regular password changes (ideally even after each use, so-called "one time passwords") are even highly recommended. Accordingly, from a technical point of view, there is actually nothing wrong with periodic password rotations.

In addition, there have been some major leaks of password collections, both plaintext and hashed, in 2022. At the same time, there have been some large-scale credential stuffing and password spraying (e.g., last week at PayPal) attacks in recent months. So this makes password changes a not unreasonable precaution.

Has this ever happened to you? You enter the password you changed a few days ago on the fifth try, it fails and your account is temporarily locked. Your only lifeline is a message to the admin à la "I forgot my password (again)". The loss of working time in companies due to waiting for the password reset alone can be listed as a reason not to confuse staff with constantly changing passwords.

Another danger of periodic password changes is the tendency of users to choose easy-to-remember (and easy-to-guess) passwords. "Spring2023", "Summer2023", "Fall2023" and "Winter2023" are periodically matching passwords that would not withstand a brute force attack for five minutes. Worse comes to worse here if the password choice is one that is used for personal and business accounts alike. To avoid this path of least resistance, it is advisable to change the direction of the password rules.

Better safe than sorry, especially when it comes to credentials. Accounts with high privileges should of course have first-class security. This includes multi-factor authentication and one-time passwords. If a compromise is suspected, it is essential to replace all passwords with new ones - this should apply to all accounts of any privilege. The "normal" user can be assisted in assigning secure credentials through the use of a company-sanctioned password manager. This prevents passwords from being stored in Excel lists on the desktop. In addition, password blacklists should be maintained to prevent frequently used or easily guessed passwords.

As always, communication at eye level with users is one of the best shields for patching the "human vulnerability". Whether it's phishing or password selection, security awareness is the first step to success. Understanding users equipped with the right tools are a strong foundation for the organization's IT security.

Complion offers consulting services in IT security, such as training and self-assessments. If you would also like to benefit from our expertise, find out more about our portfolio here.

Author: Tobias Philipsen