Many companies adhere to the IT policy of changing passwords regularly – usually every 90 days. What was once seen as a protective measure is now turning out to be a security risk.
Illusion of security through mandatory changes
The intention behind the regular password change was understandable: Attackers should not stand a chance by changing them frequently. However, the opposite has been shown in practice:
- Users develop predictable patterns: “Summer2023!” becomes “Summer2024!”
- Complex requirements lead to creative but weak workarounds
- Passwords are written down on pieces of paper or stored in insecure files
- Actual protection decreases, frustration increases
An FTC study and NIST recommendations (800-63b) clearly show that changing passwords regularly without a specific reason adds little value – and can even weaken IT security.
What modern IT security recommends today
International security experts and institutions such as the Federal Office for Information Security (BSI // Germany) recommend a paradigm shift:
No rigid replacement intervals
→ Change password only if a compromise is suspected
No forced special character combinations
→ Focus on long, easy-to-remember passphrases
Example: RedDogWithGumboots
Use of modern security measures:
- Password manager for secure storage and management
- Two-factor authentication (2FA) for additional security
- Block known, leaked passwords (1234)
Password manager: a tool for real security
Instead of relying on human memory, leading companies today rely on password managers. They offer:
- Automatic generation of strong, unique passwords
- Encrypted storage and protection against phishing
- Synchronization across all devices
- Support for 2FA and security alerts in the event of data leaks
- Possibly 2FS keys in the form of USB sticks with fingerprint scanners
Conclusion:
The combination of password manager and 2FA offers more protection than any outdated policy. It not only strengthens IT security, but also user-friendliness – and reduces human error.
In the context of modern brand management, this means that companies that rely on outdated security practices not only risk data breaches, but also a loss of trust. Anyone who takes innovation and leadership seriously will question existing processes – even in day-to-day IT operations.
After all, digital security is not just technology – it is part of a holistic communication strategy.
Companies looking for a good password manager should primarily make sure that it supports sub-accounts. This allows the IT department to create (or deactivate) a sub-account for personal passwords for each employee and at the same time share passwords across teams.
Possible password managers for teams:
Lastpass
1password
Nordpass
StickyPassword
Bitwarden
It is important to mention at this point that there are always security problems with one password manager or another. The list is therefore only an initial indication and each company must carry out its own research.
Saving tip:
For very small teams, there is also the option of either using a cloud-based password manager or a password manager such as KeePassXC. With the latter, each user installs the software locally on their own computer and everyone accesses the same password database file, which is located centrally on a company server (or cloud server – completely encrypted, of course). Although this procedure is fast and (usually) free of charge, there is a risk that changes to the file (new passwords or changed passwords) are not sent to all team members at the same time. You would actually have to close and reopen the file or reload it from the server every time, as you never know whether changes have been made in the meantime.
Every team/company must ask itself whether around 5 to 8 euros per user per month is an acceptable price for data security and usability!
