Why do I have to update my password every 90 days?
According to PCI DSS "Requirements and Security Assessment Procedures" Version 3.2.1, Chapter "Detailed PCI DSS Requirements and Security Assessment Procedures", section 8.2.4 requires to change user passwords/passphrases at least once every 90 days.
Passwords that are valid for a long time without changing gives an attacker more time to guess or break them (e.g. by using dictionary attack, by using advanced decryption algorithms, by eavesdropping etc.) Attackers who have more time to break the password can prepare a more advanced attack. There are also other important factors and risks e.g. in case of data leak, leaked passwords or their hashes can be present in databases that are shared over internet. So, thousands of attackers can try to break such passwords. The longer a password is valid, the more chance the attacker will find the password using slow dictionary attack or find the proper dictionary of leaked passwords from one of services that are used by user (note that a lot of people still use the same password across different systems). Attackers will also have more time to perform brute force attacks. If passwords are changed every 90 days or less, the leaked passwords will be useless for the attackers if the leaked dictionary is more than 90 days old. If periodical password changes are not forced, then the same password can be used in few systems for years. So, if there is a security breach to one of these systems or a data leak, the leaked passwords will became available, and attacker can use dictionaries based on these leaked passwords to break other systems. It is also important to realize, that some people unknowingly (e.g. by distraction) can use a password defined for system A to log in to system B. Some malicious administrators of system B can log every invalid login attempt and create dictionaries that consist of wrong passwords, then such dictionaries can be shared via the internet and used to get access into other systems. So, if you use the same password for a long time, there are various security risks that can apply to you.
However by forcing a change in passwords frequently, it might result in people creating simple passwords based on the month, year or a number that is increased on every change. So frequent password changes can lead to creating weak passwords. That is true if we assume that users are unaware of basic security concepts and don't care about security. This is why we encourage you to use a free password manager (eg LastPass) which makes life so much easier as you only have to remember your password for LastPass and then you can easily access all of your accounts securely (even from your phone), or other generator tools (eg Dinopass or Norton) to creates strong and unique password. By using such tools you reduce the risk of creating weak passwords and make it harder for attackers to break your passwords.
But what about the National Institute of Standards and Technology (NIST) guidelines?
According the NIST Special Publication 800-63B "Digital Identity Guidelines" section 18.104.22.168: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically)."
So yes, NIST has published guidelines, however we still need to be compliant with PCI DSS.
The PCI DSS "Requirements and Security Assessment Procedures" Version 3.2.1, Chapter "Detailed PCI DSS Requirements and Security Assessment Procedures", section 8.2.3, mentions industry standards (e.g., the current version of NIST SP 800-63.). However, this applies only to the requirement PCI DSS 8.2.3, which refers to password complexity and strength, but not to password change interval.
Password change interval is defined in the PCI DSS 8.2.4 requirement. It requires password/passphrase is changed at least once every 90 day. It is worth noting that PCI DSS guidance for 8.2.4 makes no reference to NIST SP 800-63.
Without a clear reference to NIST SP 800-63 in PCI DSS 8.2.4 requirement, there is no justification to use new NIST guidance for this requirement. So, the current 8.2.4 requirement is still in force.
Until the Council makes a change to the PCI DSS, we must comply with current requirements regardless of what other standards setting bodies state.
- Passwords still need to be changed periodically, because NIST guidelines only apply to the PCI DSS 8.2.3 requirement which describes the password strength and complexity.
- NIST guidelines don't apply to the PCI DSS 8.2.4 requirement which describes the periodical password changes, because there is no reference to NIST SP 800-63 in the PCI DSS 8.2.4 requirement.
- We are obligated to comply with PCI DSS. Until the Council makes a change to the PCI DSS we must comply with the current requirements regardless of what other standards setting bodies state. Therefore we still have to comply with the PCI DSS 8.2.4 requirement and force periodical password changes.