Security in Plain English Series
Why Do I Have to Change my Password Every 30/60/90 Days?
My company makes me change my password every so often. Why do they make me do this even if we haven’t been breached or anything like that?
The answer is simple, and there are two reasons why this policy is standard for most companies. The first is protection against stuff that hasn’t happened yet. The second is protection against stuff that has happened – just not to your company.
Basically, most IT departments will make you change your password once every set number of days. It will most likely be 30, 60, or 90 days; as those are pretty common timeframes and also the default numbers for a lot of corporate software. One reason behind the practice is to defend the company data systems against being invaded because of some other website or company getting hit with a data breach. Most users will re-use passwords on multiple websites and for multiple purposes. That means that if Yahoo or Uber get breached – and both have in the last few years – and you used the same password for those sites and your work login; the attackers now have your work login too. By making you change your password regularly, your company is basically making it harder for attackers who have data from some other place use that information on your company’s network.
The second reason is to protect against possible attacks against your company itself. Keep in mind that for most of us; our usernames are either some combination of our first and last initials/names, or our email addresses. Both of those pieces of information are publicly available, meaning just about anyone who wants to attack your company will have access to one half of your login information. These attackers can then use multiple methods to try different combinations of potential passwords, along with your known username, to break into the company data systems. By having you regularly change passwords, this process becomes harder for the attackers to do successfully. It’s not a perfect system as the attacker can have up to 30-90 days to perform their attack, but it does make things harder on them. Since going after easier targets is always preferable to going after harder ones, the idea is that the attacker won’t feel like going after your company if there’s one that’s going to be easier for them to break into.
As you can see, requiring that passwords be changed on a regular basis isn’t just to protect against the chance that someone stole your password. It can defend the company against being attacked with passwords that were used on other sites which did get breached. It can also help derail attackers who are only looking to figure out one half of the total login. Either way, the minor inconvenience of changing your password once a month (or two or three) is nothing compared to the damage either of these situations could cause without that policy in place.
Security Answers in Plain English is a regular column here on the SecureAuth blog, aimed to help end-users understand why IT Security enforces policies and how to best protect themselves in a digital world. If you have a question for this blog, email us at firstname.lastname@example.org and let us know!