Security Awareness Blog

Why the 90 Day Rule for Password Changing?

I consistently find passwords one of the most challenging part of any awareness program as we have to teach people a patchwork of confusing rules. These rules can include always use long, complex passwords, never share your passwords, unique passwords for every account, never write your password down, be cautious of personal questions, and more. To make matters worse, not only are different people teaching different rules, but those rules change over time. *sigh*

One of the key guidelines of changing behavior is focus on the fewest behaviors that address the greatest risk. When you take this approach, you will soon find the hardest part about effective awareness is deciding what NOT to teach people. For example, a frustration of mine is the old adage always change your passwords every 90 days. Why? This rule may have had value eons ago, but let's take a look and see what the value (and costs) truly are.

First, what is the risk we are reducing? The idea is if your password is compromised, by changing your password every 90 days you prevent the bad guy from getting in. This may have been valid ten years ago when most attacks were slow and manual, but in today's highly automated environment, once your password is compromised bad guys are most likely going to leverage it long before your 90 day change is up. The question is, is the change of behavior worth it? No. As so often in our field, people forget the COST of implementing a control. Let's do that.

Let's say you are an organization of 1,000 people, with the policy of changing passwords every 90 days. Let's say it takes a person on average 5 minutes of thinking of a new password and trying out different versions until the update is accepted. Now let's say that 10% of the organization has problems with the change process and has to call help desk, which requires another 5 minutes of discussion over the phone. In addition, lets say that since people are constantly changing passwords, they at times forget them, and during every quarter 20% have to call the help desk to reset their passwords. Now let's run some numbers.

1,000 x 5 minutes x 4 = 20,000 minutes
1,000 x .1 x 10 minutes x 4 = 4,000 minutes
1,000 x .2 x10 minutes x 4 = 8,000 minutes
32,000 minutes = 533 employee hours.
533 x $30 an hour x 2 passwords = $31,800*

*Note: This analysis assumes every employee has two passwords at work. For organizations with more you would have increase this number based on number of passwords.

We are paying almost $32,000 in lost company time just from changing passwords (assuming employees only have two passwords). Two passwords are not alot. I just checked my password manager, I have 98 passwords. If I were to change those passwords every 90 days the costs would be far greater. Also, this calculation does not include lost productivity because people could not access a system or employee frustration with security. I feel we would benefit far better if we spent that same amount of time and resources teaching people to use strong, unique passwords for every account. Better yet, provide them tools and training on password managers and two-step verification. This investment will go much farther in protecting people. Does changing your password every 90 days reduce risk? Yes, but only minimally and at great cost.

Ultimately, you may disagree with my approach, or disagree with my numbers. That is fine. My end goal is to get people thinking about what they teach in their security awareness program. Whenever you tell someone they have to change a behavior, there better be a good reason why.

 

5 Comments

Posted March 6, 2014 at 4:51 PM | Permalink | Reply

Alan

I suspect the password change every 90 days has little impact on risk because, human behavior being what it is, most people are making minor and/or predictable changes to their existing passwords e.g. a root and then tacking on Mar14 then 90 days later Jun14 then Sep14, Dec14, Mar15, ''.or maybe Spr14, Sum14, etc.
Training on password managers and two-factor is a much better investment. 2F done properly makes frequent changing unnecessary. And use of a password manager is a practical precondition for strong, unique passwords and also the ability to make real password changes when you have to change them i.e. long, random, large key space to a new long, random, large key-space.
The one catch here is that lots of people may be stuck doing the 90 day change because it is required for compliance with some regulation or some standard.

Posted March 6, 2014 at 7:25 PM | Permalink | Reply

Stephen Tihor

The reason to change passwords periodically now is that if you password is not in a rainbow table or crackable yet the steady improvement of techniques and performance means that it is likely to be in one someday. We want to change the password well before that time.
Because password hashing techniques (or shudder encryption) are not consistently good you want to change it frequently enough that mediocre grade techniques are not able to get it in time. Poor password storage can't be helped by changing and is only ameliorated by using unique passwords for each case which pretty much requires automation of some flavor.
So again password managers are a good start and 2F a desirable step up from there. With very long slowly changing passphrases as a more distant second runner up.

Posted March 7, 2014 at 9:24 PM | Permalink | Reply

HJohn

Like most security issues, the answer is "it depends on what you are protecting and the risk."
Changing one's bank account password too often is probably not very useful, since the impact will be immediate and not go unnoticed.
Changing one's business account/email password may have more long term benefit. If the goal is go snoop and steal information, a lot of damage can be done in a short time after obtaining it, true. But to have that door closed in a few months may be worth it. Think also employees and former employees, better for stolen passwords to average a 45 day useful life than indefinite.
Great, thought provoking piece as always. I do like the perspective about cost, since I have long preached that security is only one of many considerations. Burden cost and productivity are also important.

Posted March 22, 2014 at 4:56 PM | Permalink | Reply

Kru3233

Lance the password change requirement is one small shield as part of a companys defense in depth, and when used as one of a number of overlapping controls, the password change policy is still effective and beneficial. A recent story in Reuters referenced claims by Alex Holden (Hold Security) of 360 million personal account id

Posted March 23, 2014 at 5:01 PM | Permalink | Reply

lspitzner

Thanks for the reference. Just to remind folks, I'm not saying changing passwords every day does not reduce risk, I believe the cost in implementing such changes is far greater then the relatively small reduction in risk.