Previously Bank Michigan required customers that utilize online banking to change their password every 90 days.  This practice follows normal corporate password requirements.  However, it has come to our attention that this might not be the best security choice for our online banking customers. 

The short story is that we are changing our password policy so that our online banking customers will no longer be forced to change their passwords every 90 days.  As such, we will require that users create strong passwords of at least 12 characters going forward.  The change won’t be required until your password expires but we recommend changing the password at your earliest convenience. The longer the password, the more secure it will be against brute force attacks.  And as always, if you suspect your password has been compromised, replace the password immediately.

The long story is about why the change.  There have been numerous studies about this subject.  Below are two studies that have shown that requiring users to change passwords on a regular basis led to some bad password behavior.

Researchers at the University of North Carolina in Chapel Hill submitted the following paper on the subject.  

The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis

The researchers studied over 10,000 defunct accounts from their own network.  They found that users that were required to change passwords regularly did two things that lowered their security.

1. Users would increment their passwords.  Meaning they would simply change a ‘1’ to a ‘2’ or something else in that vein, creating passwords in predicable patterns.  New passwords are easy to guess if the old password was known or discovered by a bad actor.
2. Having to change passwords too often causes users to create easy to guess passwords.

A similar study was conducted by Carleton University.

Quantifying the Security Advantage of Password Expiration Policies

This study states, “Many security policies force users to change passwords within fixed intervals, with the apparent justification that this improves overall security. However, the implied security benefit has never been explicitly quantified. In this note, we quantify the security advantage of a password expiration policy, finding that the optimal benefit is relatively minor at best, and questionable in light of overall costs.”

Additionally, the blog at the Federal Trade Commission also cites both above studies, saying that mandatory password changes aren’t as effective as just setting a strong password in the first place. Changing your password every two years can help keep your passwords protected from data breaches.

Finally, while we stated at the beginning of this blog that we are changing policy so our online backing users will no longer be required to change passwords every 90 days this does put the responsibility of regularly changing passwords onto users.  Going forward, we ask that you create strong passwords and change them out on your own schedule with equally strong, non-incremental passwords.