Rethinking Password Policies
Like the ineffectiveness of phishing simulations, it’s still a widespread misconception, that passwords must be changed regularly to remain secure. In reality, outdated password policies contribute to weaker defenses and user frustration.
The Swiss Cheese Model: A Layered Defense Approach
The Swiss Cheese Model is a well-known concept in risk management and is particularly applicable to cybersecurity. The idea is that no single layer of security is perfect—each has “holes” or vulnerabilities, much like slices of Swiss cheese. However, by layering multiple defenses, the holes in one slice are covered by the strengths of another, significantly reducing the likelihood of a successful attack.

User:BenAveling, CC BY-SA 4.0, via Wikimedia Commons
How This Applies to Password Security:
Instead of relying on end users to create secure passwords using a set of complex policies, organizations should implement multiple layers of protection. Let’s explore some of the possibilities further.
1. Password Changes: Only When Compromised
Since 2017, NIST guidelines suggested avoiding forced periodic password changes. Now, they’ve made it a requirement. Arbitrary resets are not only unnecessary but actively harmful. NIST SP 800-63B emphasizes:
“Verifiers SHALL NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”
– US National Institute for Standards and Technology
Why This Requirement?
Enforcing routine password changes leads to predictable and insecure user behavior. Users often make minor, easily guessable modifications, like changing “Passwr0d” to “Passw0rd1” or “Winter2023!” to “Spring2023!” Such patterns undermine the security benefits of changing passwords.
Instead, NIST advises focusing on proactive measures, like breach detection and incident response, to prompt password changes only when there’s a verified threat. Furthermore, one critical aspect of security is ensuring that every service has a unique password. Reusing passwords across multiple sites increases risk, as a single compromised password could grant attackers access to several accounts.
2. Password Managers
Nobody wants to remember all these passwords for each service. That’s where password managers come in handy. You only have to remember one password to access all the others. Some great examples are KeePass (Password database stays locally) or Bitwarden (can be self hosted). Most of the enterprise solutions also provide a service for personal use. Depending on your threat model, maybe even iCloud Keychain is enough for you (or your parents).
Thanks to the browser extensions of these applications, you can perform auto-logins, while still retain a unique and complex password per service.
3. Password Composition Rules: No Longer Required
If you’re now thinking, that a password manager can not generate passwords to satisfy the various requirements of website, you can relax. First, Apple is maintaining a Git Repository with password manager resources, where they store requirements for well known websites, as well as websites that use the same authentication backend and URLs for password changes.
But more importantly, NIST no longer recommends the use of such requirements. Do directly quote the NIST FAQ:
SP 800-63B Section 5.1.1.2 paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a ! to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack.
Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize.
– US National Institute for Standards and Technology
However, passwords should still be checked agains well known / leaked passwords. A complete list of requirements can be found in the NIST Guidelines.
4. Let me introduce: Passphrases
If for any reason you can’t or don’t want to use a password manger (which you really should), you should use passphrases instead of passwords. A passphrase is a string of random but memorable words, such as “ThePurpleSunsetsOnTuesdays!” This approach makes passwords both secure and easy to remember while still being long and complex enough to resist brute-force attacks.
Passphrase Creation Tips:
- Use a string of unrelated yet memorable words.
- Aim for at least 16 characters.
- Include punctuation and capitalization for added security.
5. Two-Factor Authentication (2FA): A Must-Have Layer
Passwords alone are not enough; adding 2FA provides an essential extra layer of security. It requires a second factor, like a code from an app or a hardware security key, to prevent unauthorized access even if a password is compromised.
Types of 2FA:
- SMS-based codes: Convenient but less secure. Should be avoided.
- Authenticator apps: More secure options include Google Authenticator and Microsoft Authenticator.
- Hardware keys: The most secure form, using devices like YubiKey.
6. Conditional Access Policies: Smarter 2FA Prompts
Repeated 2FA prompts can lead to user fatigue, increasing susceptibility to phishing attacks. Conditional access policies provide a way to balance security and usability by only enforcing 2FA when necessary, such as during high-risk logins or from unfamiliar devices.
Examples of Conditional Access Policies:
- Prompt for 2FA only when accessing sensitive resources.
- Use risk-based authentication, evaluating factors like location and user behavior.
- Configure device compliance checks before granting access.
Configuration Guide:
Explore Microsoft’s Conditional Access Documentation for more information on setting up these measures within M365.
7. Passkeys: a modern approach
Passkeys represent a significant leap forward in secure, passwordless authentication. They use a cryptographic key pair: a public key stored on the server and a private key stored securely on the user’s device. This approach virtually eliminates the risk of phishing, as there’s no password to steal or misuse.
Example Implementation:
Platforms like Apple and Google have integrated passkey support. See Apple’s Passkeys Guide for details on configuration for macOS and iOS devices.
Final Thoughts
The goal of modern password policies is not only to improve security but also to create a user-friendly experience. Instead of relying on users to create secure passwords through a set of complex policies, organizations should implement proactive measures. This includes breach detection, incident response, and ensuring that each service has a unique password—best managed with the help of password managers. Relying solely on user behavior is a flawed strategy; IT departments should adopt the Swiss Cheese Model for security. Intelligent multi-factor authentication (MFA), passwordless authentication, and conditional access policies are crucial components.
By embracing these modern approaches, we can enhance security while simplifying the experience for everyone. Feel free to share your thoughts or strategies in the comments below!