In February 2020, the BSI (German Federal Office for Information Security) made a much-noticed and discussed statement on changing passwords in its IT-Grundschutz compendium under ORP.4.A23:

IT systems or applications SHOULD ONLY prompt you to change your password for a valid reason. Purely time-controlled changes SHOULD be avoided.

Baaam! The BSI recommends that passwords should no longer be changed! And the American NIST (National Institute of Standards and Technology) is tooting the same horn with its ‘Special Publication 800-63B’: ‘Verifiers SHOULD NOT require memorised secrets to be changed arbitrarily (e.g., periodically).’

Were all our unspeakable password changes for nothing? In security circles, almost nothing is discussed as intensively as this topic. Providers of password complexity analysis tools have put the BSI's statements in bold letters on their homepages and customers write to us to ask why we are still promoting password changes in our security awareness videos.

Well... On the one hand, because we don't just pick out the part we like from such publications. And secondly, because we see passwords being lost live in assessments and incidents.

Changing your password makes sense, but when?

First of all, the ‘cherry picking’. The very next sentence in the much-cited BSI paragraph reads:

Measures MUST be taken to recognize the compromise of passwords. If this is not possible, it SHOULD be checked whether the disadvantages of a time-controlled password change can be accepted and passwords are changed at certain intervals.

And this is where it gets thrilling. How are you supposed to take measures to recognise compromised passwords? And when is a password compromised? When it is on HaveIbeenpwned? Or when it's on GitHub's list of the top 100,000 cracked passwords on the internet? Oh yes, you could probably call that compromised!

But what about passwords that users give us over the phone in social engineering assessments because they think we're the IT helpdesk? What about passwords that users enter on phishing sites because they are convinced they are logging into Office 365? The passwords can be as complex as they like: they're still gone! And we don't know of any tool that would recognise such compromises.

It's true:

If users used complex passwords and did not enter them in the wrong places or otherwise pass them on, then there would indeed no longer be any reason for forced password changes.

Unfortunately, the sentence contains a lot of ifs and subjunctives for the time being.

As long as passwords are used as a single factor, a compromise can simply never be ruled out. This is why the statements from BSI and NIST are relatively meaningless and are actually cancelled out in the following sentence. But they have stimulated an exciting discussion and that is perhaps a good thing.

We currently recommend a long change cycle (e.g. 180 days) to our customers, but we still recommend changing passwords. We also recommend the consistent use of multi-factor authentication. This is a really important step towards greater security.

And in conjunction with a good password manager, a six-monthly password change for the core systems no longer really hurts.

We explain this and other current topics clearly and comprehensibly in our awareness videos.