Security Awareness Blog

Time for Password Expiration to Die

Per Thorsheim, Microsoft's Dr. Cormac Herley, the UK's NCSC, the Chief Technologist at FTC, I and many others are working hard to kill password expiration. Password expiration is when an organization requires their staff to change their passwords every 60, 90 or XX number of days. Password expiration is also a great example of how security professionals fail by simply repeating old myths or focusing on just mitigating risk, forgetting about the cost or impact of those mitigating controls. Here's is why password expiration must die.

  1. WRONG THREAT MODEL: The original purpose of password expiration was based on an old and outdated threat model. It was estimated it took 90 days for the average computer to crack the average password. Fast forward to today and that threat model has radically changed. First, most of today's "average" or "bad" passwords can be cracked in the cloud in mere seconds. Second, the greatest risk to your password is not cracking but password harvesting, such as cyber criminals infecting your computer with keystroke loggers, data harvesting via phishing websites, people sharing or reusing passwords, social engineering attacks over the phone, SMS texting or numerous other methods. Long story short, the threat model has changed, if your password is compromised it will almost certainly be in seconds, not months. And when the bad guy gets your password, they are not going to wait the required "90 days", they are going to leverage it right away.
  2. BEHAVIORAL COST: Second, there is a huge cost to password expiration. I'm always amazed at how people argue about password entropy but forget about behavior cost. As Dr. Angela Sasse at UCL has documented every behavior has a cost, and having every employee change X number of passwords every X number of months is a big one. I'm not talking about just lost employee time and help desk tickets but I'm talking about cost to your culture. Ever wonder why people hate your security program? Here is a big reason why.
  3. MINIMAL RISK MITIGATION: Think you are mitigating risk? Think again. If a cyber attacker has cracked an employee's password and your employee already changed their password you are still at risk. Your people simply incremented that "1" in their password to a "2" and the bad guys know it. In such situations, password expiration is creating the illusion of security. In addition, if your systems are keeping password history you are making it that much easier for the bad guys to crack the passwords, as they now have multiple passwords to crack. Since most people make very minor changes to each new password, by cracking an older password cyber attackers can simply guess the current ones. Finally, I asked about password expiration with several of SANS top Instructors, including Jake Williams and Rob M. Lee, both who used to work at the NSA TAO group, their job was to hack other countries. Both said in their years of service, not once did password expiration ever slow them or their team down.

Long story short, whenever you require a security behavior, you should have a good reason why. So what should we be doing, how do we address the risks of passwords but at minimal cost? Go with passphrases and/or password managers, simplify the process while still managing the risk. But you say you have a high risk account that demands password expiration? Then get into the 21st century and use Multi-Factor Authentication (MFA). In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization. Fortunately, the tide is already turning. The UK government published new password guidelines that recommend killing password expiration, and the new NIST password guidance has stated the same.


Update 26 March, 2017: Here is a great article by Bruce Schneier that explains this situation at a higher level - Stop Trying to Fix the User.


Updated 13 April, 2017: Added validation / commentary on why password expiration needs to die.



9 Comments

Posted March 23, 2017 at 3:51 AM | Permalink | Reply

Xavier

Amen! (and that's from a lapsed altar boy'')

Posted March 23, 2017 at 12:25 PM | Permalink | Reply

Roger A. Grimes

Great, concise article. Well done. What I especially love is the people who say what the data proves is wrong, without providing good data of their own to refute. Sadly, it will probably be 10 years before any of the big security guides recommend anything other than long, complex, and frequently changing passwords. Passwords will likely die''go away''replaced by 2FA and MFA''before the guidelines and recommendations around passwords changes. We are the only industry that both creates and ignores its own data.

Posted March 24, 2017 at 8:04 AM | Permalink | Reply

Dawid Ba

Yes. yes, yes! This subject needs more push and press from popular InfoSec folks. Respect Lance!

Posted March 24, 2017 at 3:30 PM | Permalink | Reply

Arnold Reinhold

As the number of computer accounts each person owns has grown to dozens if not hundreds, the old school password advice: use a unique password for every account, change it often and never write it down has gone from inconvenient to inconceivable. At the same time complexity requirements for passwords has grown too. What usd to be the maximum password length in Unix, 8 characters, is now the minimum in the NIST draft standard and that's too short in my opinion for high value accounts.
Something has to give and manditory requirements for frequent changes should be the first to go as they are so obviously counter productive.

Posted March 24, 2017 at 7:56 PM | Permalink | Reply

Terry

I think we need to get the auditors on side with this as soon as possible. Otherwise we will still have these requirements for "compliance" reasons.

Posted March 27, 2017 at 4:05 PM | Permalink | Reply

Unca Alby

I've been saying this for five years. I feel vindicated.

Posted March 31, 2017 at 5:55 PM | Permalink | Reply

Joe Yauch

I second what Terry said.
The auditors internal and external need to be onboard and strongly encourage companies by proving why this change is necessary and having companies modify their security standards/criteria in their Corporate Security Policy. Information Security departments should also take the initiative to promote this change with their Audit and Risk/Compliance departments.

Posted April 5, 2017 at 11:33 PM | Permalink | Reply

Bob Down

Doesn't the occasional password cycle help reduce the risk around key executives with long tenure having given their passwords out to countless executive assistants and IT staff who have since left the company? It's a slow leak, albeit through an exec breaking his own policy but it is however a reality in the corporate world.

Posted April 5, 2017 at 11:40 PM | Permalink | Reply

lspitzner

Absolutely! There are numerous ways passwords can be compromised, but once compromised the bad guys are not going to wait the required 90 days before using them, they will use the compromised passwords right away. Once they use them, they are in. So changing your passwords sixty days later does no good, the bad guys are long gone and/or into other accounts. I'm not saying password expiration reduces no risk, my approach is password expiration reduces far less risk than you may think, and at far greater cost to the organization.