The problems with forcing regular password expiry
▻https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
“Regular password expiry is a common requirement in many security policies. However, in the Password Guidance published in 2015, we explicitly advised against it. This article explains why we made this (for many) unexpected recommendation, and why we think it’s the right way forward.”
The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.
At the NCSC, we want administrators to think about alternative, more effective system defences they might implement in order to detect and prevent unauthorised account use. For instance, we recommend using system monitoring tools that present users with information about the last login attempt, so they can see if they’re responsible for failed login attempts. If they’re not, this may be a sign that someone has attempted to access their account, and users should be able to easily report this for investigation. Initiatives such as this are far more likely to help keep systems safe, and much more manageable for the user.
Qqchose de + Ux comme demander « l’amélioration » de mot de passe plutôt que le changement.