Per Thorsheim, Microsoft's Dr. Cormac Herley, the UK's NCSC, the Chief Technologist at FTC, I and many others are working hard to kill password expiration. Password expiration is when an organization requires their staff to change their passwords every 60, 90 or XX number of days. Password expiration is also a great example of how security professionals fail by simply repeating old myths or focusing on just mitigating risk, forgetting about the cost or impact of those mitigating controls. Here's is why password expiration must die.
- WRONG THREAT MODEL: The original purpose of password expiration was based on an old and outdated threat model. It was estimated it took 90 days for the average computer to crack the average password. Fast forward to today and that threat model has radically changed. First, most of today's "average" or "bad" passwords can be cracked in the cloud in mere seconds. Second, the greatest risk to your password is not cracking but password harvesting, such as cyber criminals infecting your computer with keystroke loggers, data harvesting via phishing websites, people sharing or reusing passwords, social engineering attacks over the phone, SMS texting or numerous other methods. Long story short, the threat model has changed, if your password is compromised it will almost certainly be in seconds, not months. And when the bad guy gets your password, they are not going to wait the required "90 days", they are going to leverage it right away.
- BEHAVIORAL COST: Second, there is a huge cost to password expiration. I’m always amazed at how people argue about password entropy but forget about behavior cost. As Dr. Angela Sasse at UCL has documented every behavior has a cost, and having every employee change X number of passwords every X number of months is a big one. I’m not talking about just lost employee time and help desk tickets but I’m talking about cost to your culture. Ever wonder why people hate your security program? Here is a big reason why.
- MINIMAL RISK MITIGATION: Think you are mitigating risk? Think again. If a cyber attacker has cracked an employee's password and your employee already changed their password you are still at risk. Your people simply incremented that “1” in their password to a “2" and the bad guys know it. In such situations, password expiration is creating the illusion of security. In addition, if your systems are keeping password history you are making it that much easier for the bad guys to crack the passwords, as they now have multiple passwords to crack. Since most people make very minor changes to each new password, by cracking an older password cyber attackers can simply guess the current ones. Finally, I asked about password expiration with several of SANS top Instructors, including Jake Williams and Rob M. Lee, both who used to work at the NSA TAO group, their job was to hack other countries. Both said in their years of service, not once did password expiration ever slow them or their team down.
Long story short, whenever you require a security behavior, you should have a good reason why. So what should we be doing, how do we address the risks of passwords but at minimal cost? Go with passphrases and/or password managers, simplify the process while still managing the risk. But you say you have a high risk account that demands password expiration? Then get into the 21st century and use Multi-Factor Authentication (MFA). In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization. Fortunately, the tide is already turning. The UK government published new password guidelines that recommend killing password expiration, and the new NIST password guidance has stated the same.
Update 26 March, 2017: Here is a great article by Bruce Schneier that explains this situation at a higher level - Stop Trying to Fix the User.
Updated 13 April, 2017: Added validation / commentary on why password expiration needs to die.