← Back

How Often Should We Change Our Password to Comply with ISO 27001?

August 16, 2024

In 2024, it's surprising how many companies still insist on forcing their employees to change passwords every 60 to 90 days. Some organizations, including those that already ISO 27001 certified, even configure their systems to enforce these frequent password changes as a matter of compliance. But is this approach still necessary in today’s cybersecurity landscape? […]

In 2024, it's surprising how many companies still insist on forcing their employees to change passwords every 60 to 90 days. Some organizations, including those that already ISO 27001 certified, even configure their systems to enforce these frequent password changes as a matter of compliance. But is this approach still necessary in today’s cybersecurity landscape?

The short answer is: not really. Let’s explore why.

The Shift Away from Frequent Password Changes

If you dive into more recent guidelines, such as the NIST (National Institute of Standards and Technology) Publication on Digital Identity or the PCI-DSS v4.0.1 (Payment Card Industry Data Security Standard), you'll notice a shift in focus. These newer standards emphasize that the length and strength of a password are far more important than how often it is changed. In fact, frequent password changes can lead to weaker security because users tend to resort to predictable patterns, like adding numbers or symbols in a sequence.

For instance, PCI-DSS 4.0.1 recommends regular password changes only if passwords are the sole factor used for authentication. If you’re using Multi-Factor Authentication (MFA)—which we highly recommend at FEHA—the need for frequent password changes diminishes significantly.

The Risk-Based Approach in ISO 27001

ISO 27001 also doesn’t prescribe a specific schedule for changing passwords. Instead, it encourages organizations to take a risk-based approach when developing their password policies. This means companies should evaluate the security risks unique to their business and adjust their password policies accordingly.

FEHA’s Approach to Modern Password Management

At FEHA, we advocate for a more modern, practical approach to password management that aligns with the latest security standards.

Here’s what we recommend:

  • Longer Passwords, Not More Frequent Changes
    Instead of asking employees to change passwords every few months, focus on using longer, more complex passwords. At FEHA, we set our internal password requirements to a minimum of 16 characters—this exceeds the standard 12 characters required by PCI-DSS 4.0.1. The longer the password, the harder it is to crack.
  • Unique Passwords for Every Account
    Password reuse is a common problem that weakens security across the board. Using a password manager ensures that every account has a unique password, which significantly reduces the chances of multiple accounts being compromised if one password is breached. We use Heylogin as our go-to password manager because it makes password management simple and secure. If you’re interested in learning more or getting a demo of Heylogin, don’t hesitate to reach out to us.
  • Multi-Factor Authentication (MFA)
    MFA is one of the most effective ways to protect your systems, even if passwords are compromised. We recommend that all organizations enforce MFA on any system that supports it. This adds an extra layer of security and greatly reduces the risks associated with password-based authentication. Don't use SMS-based MFA, but use application-based MFA. In fact, Heylogin can also be used for MFA.
  • Change Passwords Based on Risk, Not a Calendar
    You don’t need to change passwords every 60 or 90 days. If you feel more comfortable having a set timeline, 365 days is enough, provided you are using strong passwords and MFA. What’s more important is that you change passwords when there’s an indication of a security breach. This can be automated by linking your identity provider with a database of compromised credentials, which can alert you if any of your passwords are exposed in a breach.

How FEHA Can Help You Modernize Your Password Controls

At FEHA, we understand the importance of balancing security with usability. We help organizations adopt modern, secure password management practices that go beyond outdated policies. By leveraging tools like Heylogin, we make it easy for businesses, especially startups and SMBs, to ensure that passwords are secure, unique, and managed effectively. This way, your employees won’t need to remember dozens of passwords, and your organization can stay compliant with ISO 27001 and other security standards without relying on outdated practices like frequent password changes.

Final Thoughts

To comply with ISO 27001, the focus should be on the strength and uniqueness of passwords, not on how often they are changed. A risk-based approach, combined with modern tools like password managers and MFA, offers a much more effective way to secure your organization’s digital assets.

So, the next time someone tells you that ISO 27001 requires regular password changes, you’ll know that’s not the full picture. It’s about using the right tools and strategies to protect your organization in today’s evolving threat landscape. And if you need help with that, you know where to find us.

Book a Demo