Breaking Down the FinCEN Money Laundering Rule: When Do you Have to Report a Transaction

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking that would require certain people involved in real estate closings and settlements to report information to the agency about all-cash residential transactions nationwide involving legal entities and trusts. You can read a summary of the proposed rule's requirements here.

ALTA will break down various parts of the proposal to help title and settlement professionals understand the impact it will have on their operation.

Here’s a look at when a transaction must be reported to FinCEN:

All-cash Transactions Must Be Reported
  • Exceptions: The proposed rule does not require residential real estate transfers to be reported if the transfer involves
    1. an extension of credit to the transferee that is secured by the transferred residential real property and is extended by a financial institution (this includes most banks, credit unions and mortgage bankers) that has both an obligation to maintain an AML program and an obligation to report suspicious transactions under this chapter
    2. a grant, transfer, or revocation of an easement
    3. a transfer resulting from the death of an owner of residential real property
    4. a transfer incident to divorce or dissolution of a marriage
    5. a transfer to a bankruptcy estate
    6. a transfer that does not involve a reporting person.
Sale of Residential Property or Unit in a Cooperative
  • Real property designed for 1-4 family occupancy
  • Vacant or unimproved land zoned (or permitted) for construction for 1-4 family occupancy
  • Shares in a cooperative housing corporation
Transaction Must Be Reported If the Buyer Is:
  • A legal entity
  • A trust
Transaction Must Be Reported If the Buyer Is Not a:
  • Issuer of a class of securities under SEC Act
  • State, local, federal, tribal government authority, agency or instrumentality
  • Bank, credit union or depository holding company
  • Money services business that is registered with FinCEN
  • Securities broker dealers registered with the SEC
  • Securities exchange or clearing agency
  • Any other entity registered under the SEC act
  • Investment company as defined under Investment Company and Advisors Acts
  • Insurance company (insurer) supervised by a state insurance department
  • State licensed insurance producer (agent)
  • A public utility that provides telecommunication, electrical power, natural gas or water or sewer service
  • A futures commission merchant, introducing broker, swap dealer, major swap participant, commodity pool operator, or commodity trading advisor registered under the commodities exchange act or entity registered with the CFTC
  • Financial market utility overseen by the financial stability oversight council
  • A legal entity that is a wholly owned subsidiary of the above or directly controlled by above.

FinCEN said these entities would be exempt because they already have sufficient anti-money laundering and countering the financing of terrorism compliance obligations, and are already subject to more government supervision or have disclosure requirements.

Transactions That Don’t Need Reported
  • Grant, revocation, transfer or movement of an easement
  • Transfer resulting from probate or death of the owner
  • Transfer incident to divorce
  • Transfer to a bankruptcy estate
  • Transfer where there is no reporting person

Fresh Phish: Microsoft OneDrive Document

022224 Fresh Phish


Treasury Issues Proposed Real Estate Money Laundering Rule

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking that would require certain people involved in real estate closings and settlements to report information to the agency about all-cash residential transactions nationwide involving legal entities and trusts.

There is a 60-day comment period. The rule was published in the Federal Register on Feb 16, which means comments will be due by April 16. FinCEN has proposed the rule go into effect one year after the final rule is issued.

For over seven years, ALTA members have engaged productively to assist FinCEN in identifying money laundering schemes through targeted data collection and reporting efforts under Geographic Targeting Orders, which have been renewed and expanded since initially issued in 2016.

“We are still reviewing the proposed rule and will work to ensure that FinCEN considers the information they are collecting under the new Beneficial Ownership rule, among other things, so as not to be unnecessarily duplicative and also provide clarity regarding the obligations of all real estate parties under the rule,” said Diane Tomb, ALTA’s chief executive officer. “We also appreciate, and intend to continue, the ongoing dialogue with FinCEN to craft a tailored approach limiting the transactions that must be reported to those of the greatest concern and providing avenues to help reduce the compliance burden on title and settlement companies."

ALTA appreciates that FinCEN has publicly acknowledged the important contributions made, and cooperation by, title insurance companies and the ALTA in its efforts to protect real estate markets from abuse by illicit actors.

The proposed rule expands on the GTOs, which require title insurance companies to file reports identifying the beneficial owners of LLCs in all-cash real-estate transactions above certain monetary thresholds in select areas in the U.S.

  • Unlike the GTOs, reporting under the proposal is not limited geographically
  • There is no dollar threshold.
  • Under the rule, the person conducting the settlement will have to file a limited purpose suspicious activity report within 30 days of settlement.
  • FinCEN indicated it will develop a specific real estate report form for electronic filing. This will hopefully address many of the issues the industry experienced with the GTO reporting.

According to the rule, the “reporting person” is the person conducting the settlement/closing or the person who prepares the settlement statement. Reporting can’t be avoided if the buyer chooses not to purchase title insurance. (This was a concern under the GTOs.)

What Must Be Reported?

There is more information that must be reported under the proposal than under the GTO. According to the proposed rule, the reporting person must provide:

  • their information (name, category of reporting person and address).
  • name, address and taxpayer identification number (TIN) for the transferee and transferor.
  • beneficial owner information for the transferee and anyone signing the transfer documents (names, date of birth, addresses and TINs for those individuals).
  • name, DOB, address and TIN for all transferors on title or the beneficial owners if the seller is an entity.
  • address and legal description for the property.
  • information about the payments made by or on behalf of the transferee (this includes amount of each payment, the payor, the payment method and the name of the financial institution where the payment was drawn from).
  • Information about any hard money or other lender not subject to anti-money laundering rules that was involved in the deal.

A provision in the rule allows the reporting person to rely on information about beneficial ownership provided by the transferee if the transferee certifies the accuracy of the information. This will require the reporting person to obtain a beneficial ownership affidavit in every transaction involving a legal entity unless FinCEN provides the industry access to BOI data.

FinCEN training costs

Training Costs

In the notice of proposed rulemaking, FinCEN estimated the rule will require approximately 800,000-850,000 filings annually. All-cash transactions accounted for 28% of all transactions in 2023, according to the National Association of Realtors.

FinCEN estimates it will cost approximately between $267.3 million and $476.2 million the first year and between approximately $245.0 million and $453.9 million annually in subsequent years.

FinCEN estimates it will take 75 minutes for initial training on the rule with an additional 30 minutes for annual refresher training. Based on this, it’s projected initial year training costs will be about $44.3 million dollars and range from $20.2 to $27.3 million in following years.

FinCEN transaction costs

Reporting Costs

Based on the range of expected reportable transactions and the wages associated with different persons in the potential reporting cascade, FinCEN anticipates that the proposed rule’s reporting costs may be between approximately $158.2 million and $314.2 million. Depending on the type of company, the cost to file a report could range from $193 to $244.

Based on feedback from companies that must comply with the GTOs, FinCEN estimates it will take on average:

  • 30 minutes per transaction to decide if it’s a reportable deal.
  • 45 minutes per transaction to collect information.
  • Two hours to complete the report.
  • 30 minutes to review and file.

Notably, FinCEN’s analysis assumes there will be no expected technology costs because companies will be able to rely on existing technology.

ALTA Advocacy

In 2022, ALTA submitted a letter recommending FinCEN develop tailored and specific transaction reporting requirements for the all-cash real estate transactions involving corporate entities, instead of imposing a traditional anti-money laundering regime like those imposed on banks. ALTA also said FinCEN should finalize regulations for the development of a beneficial ownership database required under the Corporate Transparency Act (CTA) before taking further actions that would add additional burdens to the title insurance industry.


Multilingual Marketing Materials Available to ALTA Members

Screenshot spanishNo matter what language a homebuyer speaks, information is key to a real estate transaction. To help you better communicate with all of your customers, ALTA’s most popular consumer marketing materials have been translated into multiple languages.

So far, seven flyers, rack cards and blogs have been translated, and four more are in process. Languages covered include:

  • Arabic
  • Chinese (Cantonese and Mandarin)
  • French
  • German
  • Haitian (Creole)
  • Hindi (Urdu)
  • Japanese
  • Korean
  • Portuguese
  • Russian
  • Spanish
  • Vietnamese 

Courtesy of the Homebuyer Outreach Program (HOP), the multilingual suite of marketing materials is available only to ALTA members. Like their English counterparts, the translated files can be branded with an ALTA member’s logo and downloaded to print or shared digitally.

Click here to access the content.


Survey: Title Companies Report Increase in Cyberattacks But Mitigation Efforts Help

ALTA Cybercrime InfographicMore than 90% of title insurance companies reported the volume of cybercrime attempts increased or remained the same over the past year, according to a Cybercrime & Wire Fraud Study sponsored by the ALTA Land Title Institute.

Over half of the 470 title professionals surveyed reported an increase in cybercrime attempts from 2021 to 2022, while another 40% reported similar volume of attacks. This is up from 86% that reported an increase or comparable level of incidents from 2020 to 2021.

“Fraud attempts are increasing compared to a year ago, meaning title and settlement companies must be even more vigilant,” said Diane Tomb, ALTA’s chief executive officer. “In response to the increased attacks, more companies have mitigation efforts in place, so while there is still significant concern about the issue, companies are better equipped to protect their businesses and customers.”

Companies with higher transaction volume were targeted with more frequency. According to the survey, 73% of companies with over 250 closings monthly experienced an increase in cybercrime compared to 61% of those with 76 to 250 closings and 38% with 75 closings or less.

While fraud attempts remain elevated, mitigation efforts are helping and more companies are reporting the ability to recover diverted funds. In 2022, 26% companies reported that they were able to recover the total amount of funds incorrectly transferred due to fraud compared to only 17% in 2021. Additionally, two thirds of companies reported recovering more than half of the stolen funds.

When there are losses, a company’s insurance provider typically did not cover its losses due to cybercrime in 2022. Of the businesses that experienced losses, 54% reported their insurance policy did not cover any of the amount, 10% reported that some of the losses were paid, 5% said most losses were paid. Only 7% indicated all the total amount was covered.

Most companies reported that average consumer losses were $100,000 or less, including 14% that reported losses under $1,000, 22% with $1,000 to $25,000, and 24% with $26,000 to $100,000. Two-thirds of companies reported that customers who transferred funds to the wrong account due to fraud were assisted by financial institutions to recover the funds, followed by insurers (23%) and the FBI (22%).

“It’s important that all fraud attempts get reported to authorities, however, cybercrime in the land title industry is underreported,” Tomb said. “While nearly 60% of companies report successful wire fraud attempts to the FBI via the Internet Crime Complaint Center, only a third notify the bureau about attempted fraud.”

Efforts to Reduce Fraud

Compared to last year, there has been a significant increase in the share of companies that conduct mitigation efforts. In 2023, the survey showed that 86% of companies reported to engage in mitigation activities and services compared to 63% in 2022. Two thirds of the companies surveyed reported spending up to $25,000 annually on mitigation efforts.

The survey showed nearly all companies inform customers about the risks of cybercrime targeting real estate transactions. The most common methods include standard warnings on email (85%), oral or telephone warnings (67%), written information mailed to consumers (41%) and specific warnings on the company websites (41%). Companies also often remind customers about cybercrime risks throughout the transaction process. According to the survey, 64% of companies communicated with customers frequently using written reminders, 31% provided warnings or education at the beginning of the transaction process and 30% did so at the time of closing.

“Title insurance companies protect their business and customers by conducting a range of mitigation efforts, including customer and real estate agent training, simulated phishing testing of employees and wire/payee verification software,” Tomb said. “Additionally, companies use ALTA resources, such as the Rapid Response Plan & Outgoing Wire Prep Checklist to protect against fraud. These mitigation efforts help to ease concern of future fraud. While cybercrime remains a major issue, the share of companies concerned that it would impact business over the next 12 to 18 months declined from a year ago.”


New Jersey Passes New Data Privacy Law

Data privacy mapNew Jersey recently became the 14 state to pass or enact comprehensive data privacy legislation.

N.J. Gov Phil Murphy on Jan. 16 signed S332/A1971, which requires the notification to consumers of collection and disclosure of personal data by certain entities, including internet websites and online providers. Under the legislation, these entities are required to notify customers of the collection and disclosure of personal information to other third parties and to provide customers with an ability to opt-out of that collection or disclosure.

The law will go into effect Jan. 15, 2025.

The legislation contains an exemption for personal data subject to the Gramm-Leach-Bliley Act (GLBA), along with an exemption for publicly available information. ALTA has held that any comprehensive data privacy legislation should include an exemption for entities subject to the GLBA. Since 1999, this federal law has strictly limited financial institutions’ use and sharing of customers’ personal information. 

The legislation also entitles consumers to know what data is held by the operator, so they have the ability to correct or delete incorrect information. The operator also must limit the collection of personal data to what is adequate, relevant, and reasonably necessary to their business and they must specify the express purposes for which personal data are processed.

Other states to pass data privacy legislation include California, Oregon, Montana, Utah, Colorado, Texas, Iowa, Indiana, Tennessee, Virigina, Florida, Delaware and Connecticut.


How to Renew Your ALTA Membership or Policy Forms License

Here are steps to help guide you through the process of renewing your ALTA membership or Policy Forms License. 

How to Renew Membership After Feb. 1

To renew your ALTA membership after Feb. 1, you will need to sign into the ALTA site and go to Become a Member (alta.org). This can be found be found hovering your mouse over Membership in the top menu bar and selecting the Become a Member link.

Renew february 1

Once the Become a Member link has been selected, you would select Purchase for the Company/Agency/Firm.

Renew february 2

Answer the following questions to qualify for the appropriate membership dues.

Renew february 3

After answering the question, you will find the membership as a product, select Add to Cart and then click the Review & Checkout button.

Renew february 4

Upon completing checkout, you will have successfully renewed the yearly membership.

Membership Renewal
  • Primary or Secondary contacts have the admin privileges to renew online, to do so log into the ALTA site. If you don’t have your login information, please click here to retrieve it.
  • If you are a primary or secondary contact your profile screen will load into the ALTA site and should look like this:

Membership 1

  • You can initiate the renewal process by clicking on the Renew Button listed on the My Account page.
  • If your organization membership expired in 2022, you will need to renew your membership by going to Become a Member.

Membership 2

  • ALTA Memberships and Policy Forms Licenses (PFLs) can only be purchased for organizations. You will know if it is an organization account if you see a building icon. There also will be the options on the right, the left option is your individual profile.
Policy Forms License Renewal
  • ALTA policy forms licenses can be renewed here: Get a Subscription. Only primary or secondary contacts have the ability to renew the PFL for an organization. If you don’t have your login information, please click here to retrieve it.
  • The Policy Forms License renewal can also be found by going to the ALTA page:
    • Hovering the mouse over Membership in the top menu options, this will prompt a drop down menu to appear.
    • In the right side of the drop down menu, you will see Non-Member Options which has Policy Forms License and Print Policy Forms License Certificate options. Select Policy Forms License.

Membership 3

  • Non-Member Options page will load (you can download your certificates here), select the Purchase a License button.

Membership 4

  • Purchase for your organization.
  • Select Policy Forms License (paid).

Membership 5

  • This item may show up as $500 by default but select this item there will be a questionnaire that will affect the pricing on the next step.

Membership 6

  • If your answers fit the criteria for price change, they will take place before final checkout on the next screen.

Membership 7

  • After selecting checkout, you will have renewed your organization’s Policy Forms License for 2024. You will be able to download a certificate here: ALTA - Print Policy Forms License Certificate.
  • Please give the system some time to sync up after renewing before trying to print.


Alert: Spoofed Email Appears to Come from ALTA

Fraud email

Fake email 2

ALTA is alerting its members of phishing emails with the subject line “Membership."

Like title and settlement companies, email from ALTA staff can be spoofed. In the latest scheme, a phishing email appears to come from John Sullivan of ALTA asking recipients to respond to the email and make a membership payment. Note the fraudulent email address in the images.

This is a phishing email. ALTA’s system was not breached. Your information is safe.

Do not respond or click any links in the email. In addition, you should contact your IT department and block the domain of the email or the IP address that it is coming from. Once the scammers catch on, they will likely switch email domains.

It's recommended to take extra precaution when reviewing email on smart phones as it can be difficult to see the actual email address behind the sender's name.

ALTA will never contact you and ask for login/passwords, credentials, credit card information, or payments by phone or via email. If an ALTA member is ever concerned about whether a person contacting them by phone or email for any reason is employed by ALTA, they should end the communication or conversation and call ALTA at 800-787-2582 or email [email protected] for confirmation.

Tips to Protect Yourself

ALTA understands that phishing attempts can be very clever, but we encourage everyone to slow down. It’s always a good idea to:

  1. Carefully review all email headers to be sure that messages are coming from people or companies who are known to them; when in doubt, forward the message to the intended recipient to be sure that a reply does not end up in the wrong hands.
  2. Hover over any links in a message and see where a click will go – even links which appear to be a complete URL spelled out. Anything could be lurking beneath the that link.
What if You Fell for the Scam?
  1. Call your credit card company using the phone number on the actual card or on the card-issuer’s website.
    • Report fraud and review recent charges with a card-issuer representative.
    • Have the credit card canceled/replaced.
    • Consider freezing your credit if you provided additional non-public personal information while making the payment.
  2. Report the incident to your IT department.
    • Consider a scan of your computer for viruses or vulnerabilities if you used the computer to reply to the email or clicked on the URL in the body of the message.
    • Consider changing your login/password information, especially if it’s stored for ease of use.


Top 10 Most Read Articles of 2023

10. Report: $1.4B in Suspected Wire Fraud Identified by CertifID in 2022

CertifID identified $1.4 billion in suspected wire fraud attempts during 2022, according to a report released by the wire fraud protection firm.

9. 3 Common Misconceptions About Password Security

You may be surprised to learn that some commonly held beliefs about passwords are more harmful than helpful. This article highlights three of these misconceptions to ensure that you and your business are armed with the right information to keep up with the latest password security best practices.

8. ALTA Unveils New Brand Identity and Website

ALTA unveiled its new brand identity—redesigned for the first time in nearly 60 years to reflect how the industry has adapted in the digital age—and revamped website during ALTA ONE, the largest annual event for the land title insurance industry.

7. Suing and Serving Phantoms and Ghosts in Real Estate Quiet Title Cases

The overall objectives of pursuing a quiet title action is to bring in all interested parties that have an interest in the property before the court, to resolve the title problem and to obtain a title for the plaintiff that is marketable and insurable by a title insurance company for a sale or refinance. Both the legal and financial stakes can be high in quiet title litigation because without a clear title the owner cannot sell or refinance, and a lender cannot protect its priority title position.

6. Digital Closings Increase, but Barriers Slow Adoption

Fully digital or hybrid closings increased to 10% of all transactions last year compared to 7% of all deals closed in 2021, according to a study sponsored by the ALTA Land Title Institute.

5. Eleventh Circuit Finds No Coverage for Fraudulent Wire Transfer Under Cybercrime Endorsement

Stephen Gregory, claims counsel for WFG National Title Insurance Co., reviews a recent decision by the U.S. Eleventh Circuit Court of Appeals that affirmed a title company did not have coverage for a fraudulent wire transfer under the cybercrime endorsement of its cybersecurity policy. Read on for the facts of the case.

4. Buyer Suffers Wire Fraud Loss, Not Escrow Company 

A buyer bore the loss when she fell for the trap of phishing wire transfer instructions and wired the purchase money to a fraudster and not the escrow company, the Nevada Court of Appeals held. Read on to learn why this ruling is helpful to the title and settlement industry.

3. Red Flags and Tips to Help Prevent Seller Impersonation in Real Estate

Real estate transactions have been a prime target of cybercrime over the past decade. There is little sign of this slowing even as the housing market continues to slow. Instead, fraudsters continue to evolve their scam and money laundering tactics to avoid detection.

2. Guidance on How FDIC Protects Escrow Accounts, Bank Deposits

In light of multiple bank failures, title and escrow professionals should understand how the FDIC protects bank deposits, including title agency funds, escrow funds and independent customer funds. Read on to learn about the FDIC insurance limits, how this impacts escrow accounts, what you should tell your customers and relevant ALTA Best Practices.

1. ALTA Publishes Major Revision to Best Practices

The revisions were made with the specific objective of allowing title agents and direct operations to continually improve their practices and procedures to ensure financial, data security and operational stability, and to provide lenders and other constituents with the assurances that their needs are being fulfilled by these efforts.



3 Common Misconceptions About Password Security

By Alex Hamlin

Everyone knows that choosing a strong password is a critical step in securing the various systems and accounts we all use daily. However, you may be surprised to learn that some commonly held beliefs about passwords are more harmful than helpful. This article highlights three of these misconceptions to ensure that you and your business are armed with the right information to keep up with the latest password security best practices.

1. I Have One Very Secure Password. That’s All I Need!

One of the most common misconceptions about password security is that individuals need just one password for all of their websites and systems, but that couldn’t be further from the truth. Consider the following scenario:

Alice uses the same username and secure password to log into three websites:

  • a.com
  • b.com
  • c.com

While a.com and b.com follow security best practices, c.com is not so diligent. Eve, a hacker, compromises c.com, including their database of usernames and unencrypted passwords. Despite Alice’s use of a strong password, Eve is now in possession of Alice’s login credentials, and is able to compromise her accounts on a.com and b.com because they use the same password.

This attack is known as a credential stuffing attack. It is one of the most common ways that account compromises happen. Had Alice used different, equally secure passwords for each a.com, b.com, and c.com, her accounts for a.com and b.com would still be protected, even after c.com was compromised.

However, using a unique, secure password for every account is easier said than done. The average user accesses dozens of websites per day. That’s a lot of passwords to try and memorize! Thankfully, there are tools called password managers that can help. Password managers are applications that automatically generate and store unique, secure passwords for each website a user visits. All of these passwords are locked behind a single master password, reducing the memorization burden for the user.

Password managers automatically fill in a unique password on each website a user visits, protecting against credential stuffing attacks and saving time spent typing long passwords into login screens. Not many security tools also boost productivity!

Password managers, however, can present a single point of failure, and users should perform due diligence to ensure the specific tool they choose has a stellar reputation and follows security best practices. Additionally, the chosen master password for the password manager must be very strong to keep attackers from accessing all of the passwords stored within the tool.

Keep reading to learn some of the common misconceptions around password security, and how to ensure your master password is secure.

2. Complex Characters Are The Most Important Part of a Secure Password

“Your password must contain lowercase letters, uppercase letters, numbers, special characters, a day of the week, the title of a novel, your favorite ice cream flavor…”

We’ve all seen password requirement prompts with a plethora of conditions that can be challenging to satisfy. These requirements have even been satirized as online puzzle games.

While these prompts may sometimes seem unnecessarily demanding in their requests for multiple character types, there's a good reason for it. Using a wider array of characters increases the range of possible passwords, making them harder for attackers to guess. That said, complex characters are not the most important part of a strong password.

When it comes to choosing a secure password, length is actually the most important component. Each additional character in a password exponentially increases its security. In fact, length is so important to a strong password that some experts have argued that we should stop using the word “password,” and instead call them “passphrases,” to encourage the use of more than one word. Passwords (or passphrases) made up of multiple, random words are easier to memorize, easier to type, and tend to be even more secure than shorter, more complex passwords.

Consider the chart below, published by Hive Systems, which shows the amount of time required for an attacker to brute force a password in 2023. In this chart, an easy-to-memorize password made up of a set of random words such as AspenDogTurqoise would take an attacker 713 years to brute force, whereas a hard-to-memorize password such as L6!h;’3[ could be brute-forced in only five minutes.

Brute image

A great way to combine length and character complexity is to use a full sentence as a password, complete with capitalization and punctuation. It’s important not to use a common phrase or famous quote, as those can be easy to guess. Rather, make up a nonsense sentence that will be easy to remember, like Wow, 6 pink cats! This passphrase would take 380 billion years to brute force according to the chart above!

3. Passwords Should Be Changed Often

For many years, security experts have advised that users should change their passwords regularly, as frequently as once every 90 days. The logic behind this advice is that users often use the same password in multiple places, placing them at risk of compromise and credential stuffing attacks (see above). As such, proactively and regularly changing passwords was believed to be helpful in stopping this sort of attack in its tracks.

However, this advice has been recently challenged, with new research finding that the security benefits of regularly changing passwords are minimal. It turns out that when users are forced to regularly change their passwords, users change them in very predictable ways, such as incrementing a number at the end of the password or substituting one special character for another. This predictability allows attackers to still succeed at credential stuffing attacks by just trying a small number of variations on the stolen passwords.

What’s more, the practice of regularly changing passwords can result in users choosing weaker passwords that are easier to memorize (and easier for attackers to guess). Such frequent password changes can also create an administrative headache for companies trying to promote a strong security culture.

This research has led to the National Institute of Standards and Technology (NIST) to revise their guidance in Special Publication 800-63B to advise against arbitrarily expiring passwords. Additionally, Microsoft has removed the ability to set arbitrary password expiration in some of its software, and the FTC has published a fantastic summary of the research and changing guidance in this area.

It’s still important to defend against credential stuffing attacks, however the use of unique passwords, made easier with the use of password managers, is a significantly stronger defense. That being said, it is still important for users to change their passwords if they ever have reason to believe a password may be compromised.


Despite being integral to our digital lives, passwords are still a relatively new phenomena, and the research around what makes them secure is rapidly evolving. This means that what is considered the height of password security today may not be the same a year from now. It’s critical that we stay up to date on the latest best practices and remain open to having our preconceptions challenged. Doing so will help us continuously improve the security of our businesses, our operations, and our own personal lives.

Alex Hamlin, a member of ALTA’s Information Security Work Group, is head of information security for Qualia Labs Inc. He can be reached at [email protected].