On Password Changes

Cormac Herlye’s paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users raises some interesting issues about security policy. Sadly I see this research paper not as causing people to challenge assumptions, but instead its ammunition for the anti-IT/anti-security forces. They’re the ones who want to argue about every decision as if they were in operation or security. So my knee-jerk reaction is to argue with it. Then I stop and think for a bit.
1. By definitions password expiration leaves you exposed until the password expires. If the password expires every 90 days, that means on average the account is exposed for 45 days. Are there any other security defenses designed to expose your accounts for 45 days on average?
2. Frequent password change requirement is believed to have its roots in the attacker’s ability to crack passwords. The password is stored in a enciphered format called a hash. If a hacker obtains the hash, they can try to guess the password through guessing all possible combinations. This is known as brute forcing the password. Other methods of attacking a hash are precalculated (also called Rainbow) tables. Checking dictionary words (with substitutions is another form off attack). If a hash was obtained, it should in be impossible to determine the real password from the hash before the password expires and must be changed. If password reuse is also banned, then the security of the password is sustained.
Are there legitimate reasons to expire passwords?
Changing passwords limits exposure. It makes it more difficult for people to share accounts. Sharing accounts is a policy violation.
Even though it seems like closing the barn door after the cattle have escaped, it does eventually limit damages.
The common complaint is its too hard to remember. Many responding to this article claim they would pick better passwords if they didn’t have to change them all the time. I think that if users had to use long passphrases they would be easy to remember. They would also be more secure due to the length and that would allow the 90 day change to be increased to 120. Of course at my company we have compliance requirement that would prevent us from taking that action.
The author seems focused on banks and paypal. My focus is on the corporate accounts. I just dont see the cost to the user of changing the password. In my experience web accounts DONT force you to change the password so that alone will cause the corporate password to be different from the user’s other accounts. That is a good thing.

One Comment

  1. 1. There are two alternatives to password expiry: None or Always. In the case of No expiration, users are left to their own whims on when passwords are changed; which inevitably leads to exposures of a password for far longer than 45 days. In the case of Always, this is where we get one-time passwords. Users rage against these, too (in small but vocal amounts). Besides, on general web sites, this just doesn’t scale. A PayPal fob, a bank fob, a couple Credit Card site fobs, my WoW fob…ick.
    2. A legit reason to expire a password would be for those who know passwords and then leave a company. For instance, in operations, service accounts need to be changed otherwise someone is walking around with the knowledge (even if his actual account from that job is removed). And while users know the policies, there are still plenty of times where passwords are shared, either with immediate colleagues, secretaries, or with your helpful support staff who need to troubleshoot your system while you’re at lunch.
    Ideally, people should change their own passwords any time it gets out of their exclusive control, but they don’t do that. Hell, this is also contingent on them knowing the password is out of their control (child opens drawer, finds password journal for parent bank accounts…saves for rainy day!) To me, that is really the point: maximizing the odds that it really is the rightful owner leveraging the auth mechanism.
    Don’t forget the newest trends in password recovery: memory scraping and of course phishing. Complex passwords do nothing against those issues.
    Really, I hate to sit on the side of the fence that doesn’t want change, but I have to sigh and exclaim that I think we have a decent enough system in place…if only people (the weak link) followed it. I think we have the optimal solutions in front of us already,* but “users” hold them back.
    * Fine, I see one-time passwords and 2-factor auth morphing into national identity based on biometrics/DNA someday, but even that may not scale well beyond a national level…let alone the other issues it provides which get echoed in nearly every sci-fi thriller…

Comments are closed.