While regularly changing passwords was once considered the gold standard, the BSI now advises against it. Instead, the new focus is: quality over frequency.
What does this mean in concrete terms for companies? What should password policies look like today – and where is more than just a password required? We provide the answers.
BSI Changes Course: No More Blanket Password Changes
For some time now, the BSI has no longer recommended regular password changes – yet many corporate policies are still not up to date.
"A password MUST be changed if it has become known to unauthorized persons or if there is reason to suspect so."
(Source: BSI IT-Grundschutz Compendium, as of 2023)
A regular preventive password change can do more harm than good. Why?
- It leads to predictable patterns (e.g., "Winter2024", "Password5").
- It increases the risk of password reuse.
- It causes unnecessary workload for IT support.
The recommendation today: Use strong passwords – and change them only when truly necessary.
Request a non-binding consultation!
Do you have questions or want to find the best solution for your company? Our experts are here to support you.
What makes a good password?
That depends on the level of protection required. ISO/IEC 27001 recommends a risk assessment for each application. Example:
- Critical systems with high confidentiality (e.g., customer databases): long, complex passwords + two-factor authentication
- Systems with high availability requirements (e.g., medical devices in emergency rooms): pragmatic solution with additional protective measures
Companies should design complexity rules to be flexible and risk-based – rather than relying on rigid general requirements.
How to Design a Modern Password Policy
A modern password policy should meet the following requirements – based on the current recommendations of the BSI:
- A password must not be reused.
- Passwords must be kept confidential and entered without being observed.
- Do not store passwords on keyboard or mouse function keys.
- Passwords should only be written down in exceptional cases and must be securely stored.
- The use of password managers is recommended.
In addition, awareness measures should be established among employees to help identify phishing attacks at an early stage.
Password Alone Is Not Enough: MFA as the New Standard
Especially for sensitive applications, a password should never be the only security factor. Multi-factor authentication (MFA) is indispensable today.
Effective second factors include:
- FIDO-Hardware-Token
- Biometrics (e.g., fingerprint, facial recognition)
- App-based authentication (e.g., OTP, push confirmation)
- Smartcards with PIN
Standards such as TISAX or ISO 27001 explicitly require MFA for sensitive data.
Suspicious Activity? Respond – Don’t Rotate
If a password has been compromised or there is suspicion of such, it must be changed immediately. Typical signs of a compromised password or a security incident include, for example:
- Unusual login attempts or unfamiliar IP addresses
- Phishing emails containing real personal data
- Device infection by malware
A good Information Security Management System (ISMS) ensures that such incidents are detected and that measures can be initiated automatically.
Conclusion: Password Security in 2025
The BSI has adjusted its strategy – and companies should do the same.
The requirements for password security have not been reduced; they have become more differentiated and practical:
- Away from blind password changes
- Towards strong, individual passwords with complementary multi-factor authentication
- Monitoring, awareness, and tailored security measures depending on the use case
Request a non-binding consultation!
MTRIX supports you on your journey toward a modern authentication strategy – from analysis and selection to implementation and long-term support.
We also handle the secure, preconfigured distribution of hardware tokens to employees and partners on your behalf.