Why Password Expiration Policies Matter in Your Managed IT Business

To operate with confidence in today’s marketplace, organizations need a strong digital presence backed up by effectively deployed and strategically protected IT assets. As a managed services provider (MSP) tasked with protecting critical workflows and ensuring their customers’ business continuity, it’s crucial for your team to stay up-to-date with the latest strategies in cybersecurity.

Businesses turn to MSPs to handle the complex but essential work of keeping their operations protected from cybercriminals. When working with customers to develop their cybersecurity defenses, a considerable array of tactics should be integrated into any effective IT protection plan. By doing so, MSPs can anticipate potential vectors of attack and be prepared for cybercriminals before they strike. These tactics might include concepts and technologies like least privilege, multi-factor authentication (MFA), and password expiration.

Password expiration policies have been the topic of ongoing discussions within the cybersecurity field. As far back as 2019, the Microsoft security team made headlines by dropping its password expiration policies, explaining they believed that forcing users to change credentials too often would cause them to use simple, predictable passwords. Rather than making organizations safer, Microsoft argued that password expiration policies could become a driver of bad password habits. This recommendation applies to individuals and regular user accounts. Humans tend to choose inherently simple and predictable passwords. The more frequently they have to change them, the easier they are to guess, brute force, or hack because they just add a one, two, or three sequential type password.

On the contrary, however, password expiration policies can be an effective component of an organization’s broader cybersecurity posture when paired with a sophisticated corporate password manager. When it comes to privileged accounts, the recommendation remains to be changing them frequently to avoid compromise, and in the cases where these are shared privileged accounts (numerous IT people having access to and using them) it becomes even more critical so that as people come and go (or should no longer know or have access to the password) regular password changes mitigate that risk. Such policies can—and should—be part of larger efforts within your MSP business and within your customers’ organizations as long as they’re deployed with the help of a strong password management system. When utilized effectively, password expiration policies can increase cybersecurity and help educate users on the importance of strong, complex passwords.

What is a password expiration policy?

As the name implies, password expiration policies regulate how frequently users must replace old passwords with new ones. Stakeholders use password management tools to set timeframes for password expiration, monitor the ages of passwords across organizational accounts, and streamline the process of alerting users when password expiration deadlines are approaching.  

Password expiration policies will differ depending on organizational needs, the kinds of information MSP customers deal with, and the various tools they access on a regular basis. For example, mission-critical information should be protected by the most stringent password expiration policies, requiring users to update their credentials frequently to help reduce the risk of a potential data breach.

While these policies can vary depending on a users’ role within an organization and which tools and accounts they try to access, password expiration can also be contingent on the relative strength of each individual password. As research has shown, nine-character passwords take roughly five days to break, 10-character passwords take four months, 11-character passwords take 10 years, and 12-character passwords take two centuries.

To factor this into account, admins can use password management tools to set expiration policies that reward stronger, more complex passwords. The longer and more complicated a given password is, the longer the amount of time until organizational users will be prompted to reset their credentials. With this kind of strategy in place (and the right tool to enforce it), password expiration policies can contribute to an organization’s broader cybersecurity goals.

Why should you set a password expiration policy?

Password expiration policies can be a value-add to your customers’ overall IT safety posture, from serving as one of many technical safeguards to helping users understand the importance of password due diligence.

Originally, cybersecurity experts enacted password expiration policies for a simple reason. Traditionally, it was difficult to know if accounts had been compromised and resetting passwords on a regular basis meant you might be able to limit the amount of damage a cybercriminal could do if you revoked access through credential updates. However, IT technology has advanced considerably since the advent of password expiration policies, making it easier to monitor account security—but also meaning that bad actors can wreak untold damage in a matter of seconds rather than days or weeks.

In this new IT landscape, password expiration policies are far from obsolete. Paired with an effective password management tool that helps users generate strong, complex passwords, expiration policies can be just one more responsible step in their broader cybersecurity initiatives. These policies can help users stay cognizant of the overall importance of credential security, act as a starting point for larger conversations about preventing data breaches, and potentially mitigate the damage caused by an attack. 

How do you create a password expiration policy?

To create a password expiration policy, MSPs should work with their customers to evaluate their overall cybersecurity needs. By understanding the specific requirements of each customer—industry regulations, current IT infrastructure, and more—MSPs can craft password expiration policies suited to their needs. The time between password updates, the relative strength of credentials across accounts, and the way passwords are generated will all hinge on organizational needs—and the tools you use to support your customers and get the job done right. Password change automation is also a best practice for MSPs managing passwords for multiple customer environments across a team of technicians.

When it comes to managing password security, you should invest in a sophisticated password management system. With N‑able^® Passportal, you can leverage cutting-edge password management capabilities for the benefit of your business and your customers. Passportal is a centralized, cloud-based platform where MSPs and their partners can store, search, change, and manage credentials. When someone leaves your company, or if you just want to rotate passwords regularly, Passportal agents will automatically change passwords across your entire client base and update any Windows services or scheduled tasks to use the new passwords within seconds. With a tool like Passportal, you can rest assured your password expiration policies are adding value to customers’ cybersecurity posture.