TOMs – the new password guideline: expiring passwords no longer recommended

Password security is one of the central topics of technical and organizational measures. Login with user name and password is the most common method for authentication. 

In order to reduce the risk that passwords could be determined in any way by third parties, users are obliged to choose strong passwords and manufacturers & administrators to make secure specifications. Insufficiently secure passwords are a violation of Article 32 GDPR and can be punished with fines.

A currently important issue: It is no longer recommended to change passwords regularly. Password changes only make sense if an invasion in the system has actually taken place. This should be done immediately and not after a certain period of time.

Here we summarize some important recommendations for password selection:

1) Choose strong passwords

  • twelve or more characters
  • longer passwords depending on the importance of the password
  • use both lowercase and uppercase letters, digits and punctuation marks

2) Never use passwords twice
3) Use password safe to store passwords
4) Do not share your password and send it unencrypted
5) Immediately change standard passwords when installing devices
7) Using two-factor authentication 
A second factor (e.g. 2nd password) is transmitted via a different communication channel, so that better protection against attacks is provided.
8) DO NOT change passwords regularly
The recommendation to change passwords at regular intervals is considered outdated. This measure does not lead to more security, but usually to the simplification of the assigned passwords by the user. Therefore, the password policy should no longer require the user to change passwords regularly. Only if there is any intervention suspected, users should change passwords or be requested to change them.

Accordingly, the following information should be included in the password policy:

1) Do not force regular password changes.
2) If necessary, block an account after several unsuccessful login attempts.
3) Do not store passwords in plain text, but with modern methods such as Argon2. For this purpose, existing software libraries and established storage methods should generally be used.
4) Particularly secure storage of password databases with limited access rights for only selected employees is mandatory.
5) Implementation of two-factor authentication as far as possible. Established standards such as RFC 6238 or Time-based One-time Password Algorithm (TOTP) should be used for the two-factor authentication.
6) Force change of pre-set passwords.
7) Failed login attempts should be logged and analyzed regularly as they could be a sign of an unwanted intrusion.
8) Do not collect foreign passwords. Online service providers may not process any foreign passwords. Devices that log on to local WiFi networks, for example, must under no circumstances transmit the access data to these to the manufacturer or third parties, neither in plain text nor in any other form.

Further information on password assignment can be found in the following sources:


2) UK National Cyber Security Center:

3) Summary: