While training for my User Experience certification, I learned a valuable lesson about passwords.
In Salesforce, the default setting for “User passwords expire in” is 90 days. That means every 90 days, users need to think of a new password.
However people aren’t good at creating passwords. Most reuse the same password across multiple websites and applications.
So let’s say your first password is “HappyBirthday1”. After 90 days, you may change it to “HappyBirthday2”, then “”HappyBirthday3”, etc.
Does this really make things more secure?
Here’s what UX training taught as a better approach:
- Make the password as complex as possible (must include numbers, upper and lower case, and special characters)
- Ensure the password length is at least 10 characters (but 12 or 14 is better)
- Don’t force users to ever change their password (or perhaps only ever year)
This combination requires more initial forethought, but it’ll be more secure in the long run.
The takeaway
It’s more secure to force people to create a long and complex password and never force them to change it rather than a simple and easy password that needs to be changed every 90 days.