If you look carefully at your organization’s IT policies, standards, and guidelines, you may find that your IT department hasn’t been completely honest with you about how those governance tools are protecting you or the organization. In some cases, they may be completely wrong. Our world is driven by technology: software and hardware solutions keep the economy whirring and ensure the right information is available to the right people at all (or most) times.
Protecting those systems, though, is a daunting task that requires the creation, enforcement, and maintenance of countless IT policies, standards, and guidelines to defend against hackers, malware, and even internal personnel out to settle a grudge. Unfortunately, those governance tools intended to help protect the organization can, over time, become anchors that prevent the organization from tackling new threats effectively. In this post, Button Up takes a look at a common IT policy that often works against the organization’s best interests: password expiration.
Frequent Password Changes Threaten Information Security
Conventional wisdom in the IT world is that frequent password changes result in better security for two major reasons:
- If an attacker simply wants access to a system, frequently changed credentials can make their work more difficult: it’s harder to hit a moving target than one sitting still
- If an attacker has already gained access to a system, a password change effectively revokes it and forces them to restart the time-consuming process of regaining access
Decades of IT doctrine have taught us that security must come at the cost of convenience: passwords need to be changed regularly to protect the organization’s interests and to secure user accounts, but is there truth to these claims?
The Evidence Suggests Otherwise
Industry data collected over the same years provides a very different conclusion. In 2016, the Federal Trade Commission (FTC) published a blog post about frequent password changes that cited a 2010 study from UNC Chapel Hill. In that study, researchers used password cracking tools to attempt to identify passwords from a data set composed of thousands of hashed passwords used by UNC’s former students, faculty and staff. The team had access to more than 51,000 hashed passwords, a situation similar to what it would look like if a hacker managed to steal all or part of a passwords database. When they ran their password cracking tools against the hashed passwords, they were able to reverse the hashing algorithm for about 60% of the passwords in the data set (Cranor, 2016).
Using this data, the researchers analyzed the revealed passwords to identify patterns in how the passwords were created. Through this analysis, researchers determined that:
…users tended to create passwords that followed predictable patterns, called “transformations,” such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).
Cranor, L. (2016, March 2). Time to rethink mandatory password changes. Retrieved from: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
The researchers then created a formula to predict passwords based on the patterns established by each user’s previous passwords. The results were alarming: “for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses” (Cranor, 2016). Even more concerning, they found that if an attacker knows the previous password and has access to the current hashed password file, 41% of current passwords could be cracked in under three seconds per user (Cranor, 2016).
The data illustrates the problem: when forced to make regular password changes because of policy, system users will often result to transformative passwords that are highly insecure or adopt other password management practices that create organizational risk, such as storing written copies of passwords in unsafe spaces or creating easy to guess combinations.
NIST Weighs In
The National Institute of Standards and Technology (NIST) looked at how password security policies are created and discussed current best practices in Special Publication 800-63B on Digital Identity Guidelines: Authentication and Lifecycle Management. In section 5.1.1.2, Memorized Secret Verifiers, NIST states:
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
NIST SP800-63B, “Digital Identity Guidelines: Authentication & Lifecycle Management,” section 5.1.1.2, p. 14
NIST Special Publications are the gold standard for information security practices. NIST’s Special Publications serve as the foundation for information security practices across all industries. The guidance and expertise of NIST informs the creation of policies and standards for the U.S. Federal Government on both classified and unclassified systems, but it is also used by organizations of all sizes to protect themselves against information security threats. This recommendation that passwords should not be changed arbitrarily is consistent with what industry is finding: people who are forced to change their passwords consistently are significantly more likely to make insecure passwords or engage in practices that increase risk instead of reducing it.
We Need Policies That Work
Conventional wisdom is not always wrong, but in the increasingly interconnected business world, organizations need to back up security policies with real world data and analysis. When we take for granted that the practices the industry defined decades ago are still valid today, we neglect to consider the remarkable advances in computing technology that can open the door to new threats.
Protecting access to information systems is critical to the stability and success of any organization. Though frequent password expiration may reduce the overall security of the organization or system, password changes do still play a role when considered alongside other security controls. For example, an organization may choose to implement policies or technologies like the following:
- 2 Factor Authentication (2FA): implementing smart cards, one time passwords, Universal 2 Factor (U2F) security keys, or even SMS verification can dramatically improve your security posture (Note: while SMS is the least secure of these, if you have no 2FA controls in place, SMS is better than nothing)
- Unlimited Password Length: removing maximum password lengths and encouraging the use of passphrases can make it harder for a computer to crack passwords just because they are longer
- Removal of Password Complexity Rules: eliminating complexity requirements and allowing substantially longer passwords can make it easier for users to recall their own sign-in credentials, reducing the risky behaviors associated with frequent password changes
Though these can help secure your environment, they cannot eliminate the need for password changes. Per NIST, arbitrary credential expiration should not occur, but there are still instances where passwords should be changed:
- If a device that uses the account in question is stolen
- If the account itself shows signs of compromise, such as access from unknown locations or at improper times
- If data appears to have been compromised, resetting the password can prevent continued access
Password policies are a part of a much bigger security puzzle, which only comes together to support the organization if all the pieces fit. Failure to map security controls to the threat environment and the realities of modern information systems can expose organizations to unnecessary risk and significantly reduce the quality of the end-user experience. If your IT policies still mandate frequent password expiration, now is the time to take a closer look at those to determine whether doing so may do more harm than good.
Share Your Thoughts: