Per Thorsheim [https://password.consulting/], Microsoft's Dr. Cormac Herley, the UK's National Cyber Security Centre (NCSC), researchers at the FTC, and I — along with many others — are working to kill password expiration. Password expiration is when an organization requires their staff to change their passwords every 30, 90, or x number of days. Password expiration is also a great example of how security professionals fail by simply repeating old myths or focusing on just mitigating risk, forgetting about the cost or impact of those mitigating controls. Here's why password expiration must die.
- Wrong threat model. The original purpose of password expiration was based on an old and outdated threat model. It was estimated that it took 90 days for the average computer to crack the average password. Fast-forward to today, and that threat model has radically changed. First, most of today's "average" or "bad" passwords can be cracked in the cloud in mere seconds. Second, the greatest risk to your password is not cracking but password harvesting, such as cybercriminals infecting your computer with keystroke loggers, data harvesting via phishing websites, people sharing or reusing passwords, social engineering attacks over the phone, SMS texting, or numerous other methods. However, the threat model has changed — if your password is compromised it will almost certainly be in seconds, not months. And when the bad guys get your password, they are not going to wait the required "90 days"; they are going to leverage it right away.
- Behavioral cost. There is a huge cost associated with password expiration, as well. I'm always amazed at how people argue about password entropy but forget about behavioral costs. As Dr. Angela Sasse at University College London has documented, every behavior has an associated cost, and having every employee change x number of passwords every x number of months is a big one. I'm not talking about just lost employee time and help desk tickets — I'm talking about the cost to your organizational culture. Ever wonder why people hate your information security program? Here is a big reason why.
- Minimal risk mitigation. Think you are mitigating risk? Think again. If a cyberattacker has cracked an employee's password and your employee already changed his password, you are still at risk. Your people simply incremented that "1" in his password to a "2," and the bad guys know it. In such situations, password expiration is creating the illusion of security. In addition, if your systems are keeping password history, you are making it that much easier for the bad guys to crack the passwords, as they now have multiple passwords to crack. Since most people make very minor changes to each new password, by cracking an older password cyberattackers can simply guess the current ones. Finally, I asked several top instructors at SANS about password expiration. Jake Williams and Rob M. Lee said that in their years of service, not once did password expiration ever slow them or their team down.1
Long story short — whenever you require a security behavior, you should have a good reason why. So, what should we be doing? And how do we address the risks of passwords, but at minimal cost? Simplify the process while still managing the risk — go with passphrases and/or password managers for employees.2 But you say you have a high-risk account that demands password expiration? Then get into the 21st century and use multifactor authentication (MFA).3 In this day and age, changing passwords every 90 days gives you the illusion of stronger security while inflicting needless pain and cost to your organization. Fortunately, the tide is already turning. The UK government's NCSC published new password guidelines that recommend killing password expiration, and the new NIST password guidance has stated the same.
Notes
- Prior to working as instructors for the SANS Institute, Jake Williams and Rob M. Lee were both part of the National Security Agency's Tailored Access Operations group, where their job was to hack other countries.
- Learn more about passphrases in the OUCH! April 2017 security awareness newsletter [https://securingthehuman.sans.org/resources/newsletters/ouch/2017#april2017] or password managers in the OUCH! September 2017 security awareness newsletter [https://securingthehuman.sans.org/resources/newsletters/ouch/2017#september2017].
- MFA may also be referred to as two-factor authentication (2FA), two-step verification, or login approval. The Lock Down Your Login [https://www.lockdownyourlogin.org/] website provides more information about protecting accounts with strong authentication using security keys, biometrics, or one-time codes.
Lance Spitzner is director of the SANS Institute Securing the Human Program. Follow @lspitzner on Twitter or visit his Security Awareness Blog.
© 2017 Lance Spitzner. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.