Expiring passwords. We’ve all been forced to with them. And the annoyance of trying to think up yet another weird combination of characters which will be compliant with whatever other password policies apply is a pain
in the 4$$! all too familiar to computer users around the world.
But I have a secret to tell you – expiring passwords are bad security!
Yes, that’s right! Bad security! Expiring passwords were never good security, and they’re being walked back from by serious security and software vendors around the world, including some former heavyweight evangelists.
But first, a history lesson…
Actually, you know what? The history doesn’t matter (I’ll e-mail it to you if you want).
The “short” version is that it goes back to 1985 when the US Department of Defence suggested changing passwords every year (based on crackability), and that timeframe was reduced as computing power which could be applied to cracking increased. So, when the US National Institute for Standards and Technology (NIST) wrote up its recommendations in 2003, a much shorter timeframe was suggested. That got “baked in” to many vendors’ settings and recommendations (including Microsoft’s).
What ultimately does matter is human behaviour.
When faced with the “challenge” of choosing a new password every 30/60/90 days, humans will be lazy. They’ll make simple changes to existing passwords, or repeatedly change them until they’re able to pass a “not the same as the last ???? passwords” test and be back where they started.
They’ll fall for phishing attacks, put passwords on sticky notes, use their kids’ or pets’ names, choose security questions (e.g. “What city were you born in?”) with easily discovered answers (“Hello, Facebook?”) – there are myriad ways password security is compromised by human behaviour.
And security practices have advanced to the point where we can do a lot better, and avoid the false sense of security a periodic password reset instills.
Here are the basics of good security/password practise:
- Use long random passwords: long passwords with minimal requirements about the types of characters work best, for example “caxsAb-tufjew-qepgy1”
- Don’t use the same password for multiple sites/services: if one site gets cracked/hacked, you don’t want the attackers trying that password on other sites and getting in
- Use a password manager: programs which store your myriad random long passwords and are accessed via single strong password you commit to remembering
- Use multi-factor authentication (MFA): two-factor authentication (2FA) is a form of this, it means in addition to something you know (your password) you use additional information, such something you have (your phone to generate one-time codes or to approve logins) to make cracking the site password alone useless
- Avoid SMS MFA: SMSes are able to be intercepted by SIMjacking and other means
- Use incorrect answers to security questions: if you must use these with a site, save the incorrect answers in your password manager because some of that “personal” info is relatively easy to find
Returning to required periodic resets, the US National Institute for Standards and Technology (NIST) dropped that recommendation in 2017, and some big-gun adherents like Microsoft have also dropped it as the default and recommended setting.
If a provider is still requiring it, they are not doing security right, especially if they’re also using 2FA.
“This post is brought to you by the security mavens in the NSW Government IT services division who are using 2FA (painfully, through e-mail) for Strata Hub, yet still apparently require expiring passwords.”
Strata, Meet Data blog