I've read a document from the NCSC in the UK about, Your Password expiry policy may have reached its expiry date.
They state that....
'Password expiry is an effective way of mitigating the risk when passwords have been deliberately (if illicitly) shared between users.'
'Password expiry can be used to make sure people don't forget that passwords do still need to be changed sometimes, just because they're no longer forced to do it regularly.'
These scenarios certainly happen, and password expiry could be one way of seeking to manage some of the risks. However, password expiry policies create vulnerabilities of their own.
If we believe that if regular password expiry really looks like a good idea, that's a sign that your organisation has bigger problems and needs to look for correspondingly bigger solutions:
In all of these cases, password expiry might initially look like a quick and easy way of helping to manage the risks. However, it rarely delivers the headline benefits it promises, and mostly just creates fresh vulnerabilities instead. It pushes people towards using weaker passwords, writing them down, re-using them across different systems and changing them only in tiny ways (eg adding 1 to the number on the end every time). Attackers can and do exploit all these dodges. It disrupts our workflow, reduces our productivity and increases helpdesk costs.
I think it's true, if people need to change their passwords, then 40% will come to the helpdesk with the problem of changing their passwords.
If we help the users to create a strong password and educate them trought awerness training and face to face talks, that they dont's write down passwords or tell them to others. I think it's better then just changing te password with a subsequent number.
What are you thoughts about this?
"Let me generate a strong password for you..."
It's very probable that the cadence of change should be varied to the threat you are expecting, too much disruption is a bad thing.
AS WDF points out If you have the luxury of resources to do so you should seek to use 2FA and besides smart cards you support user's passwords with other factors like known devices with certificates, proximity of mobile devices(use smartphones for active push of approval as well), UEBA, biometrics etc and step-up the analytics around authentication if just a password is being used. Modern IDPs and using trusted devices means you probably do not put so much emphasis on passwords being changed.
Maybe an random offset for change window between 6-12 months would address the problem of inference about a unscheduled password reset, while letting users keep passwords for a more reasonable legnth of time.