We will try our best to protect the security of passwords, such as increasing the length of passwords, using complex syntaxes, and special characters. This will indeed help increase the security of passwords, these methods often require you to change the password every 90 days, But the strange thing is that there is no obvious benefit.
However, hackers usually use four basic methods to get your password:
(1) directly ask, the so-called "phishing" and "social engineering" attacks are still in progress and remain effective (it should be a human flesh search now)
(2) try to match the prompt box with the font, hoping to have good luck
(3) obtain the encrypted password or hash code and decrypt it in turn.
(4) use keylogger and other malware to obtain the password when you enter it on your computer.
In these four cases, the password will not be changed once every 90 days. If a bad person cannot break the hash code (3) in a few days, he is likely to find an easier target. Attack (1) is also a fast-paced model. Bad people usually only use the first few hundred words. If it is ineffective, they will immediately turn to other easier prey. If (2) or (3) the attack succeeds, or the attacker learns the password through simpler (1) or (4, on average, they only need 45 days to get your bank account cleaned up, or change your email address to the point where spam is sent.
In the past 25 years or so, the concept of Password Expiration has not changed. The requirements of information security technicians, auditors, PCI, ISO27002 and COBIT remain unchanged, but the threats have changed a lot. Generally, users with weak passwords can only use another weak password. Forcing a user with a high password strength to change the password will eventually annoy him and use a simple password.
So what is the significance of the 90-day password change cycle? There is a practical benefit. That is, if someone has your password and all they want to do is to secretly read your email, you can change the password to prevent them from doing so forever. Regular password change does not defend against malicious attackers who want to steal your secret, but it does allow you to get rid of those sneaky hackers or spying. That's right. However, is this benefit worth forcing users to change their passwords every 90 days? The answer is yes. Preventing security risks is the true meaning of security.