Slashdot Mirror

← Back to Stories (view on slashdot.org)

Frequent Password Changes Are the Enemy Of Security, FTC Technologist Says (arstechnica.com)

Posted by msmash on from the debunking-myths dept.

Though changing passwords often might seem like a good security practice, in reality, that isn't the case, says Carnegie Mellon University professor Lorrie Cranor. Earlier this year, when the Federal Trade Commission tweeted that people should "encourage" their loved ones to "change passwords often," Cranor wasted no time challenging it. From ArsTechnica's story: The reasoning behind the advice [of changing password often] is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days. "I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days." Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking. The CIO asked for research that supported this contrarian view, and Cranor was happy to provide it. The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill.

32 of 211 comments (clear)

  1. Annoying by Bigbutt · · Score: 2

    The current discussion is a password change for our DMZ servers every 30 days. The mid zone servers are currently every 60 days. And corporate accounts are set to 90 days.

    [John]

    --
    Shit better not happen!
    1. Re:Annoying by RabidReindeer · · Score: 5, Insightful

      You have one and only one password. Either the enemy knows it, and all doors are open, or he doesn't.

      Whether the password changes or not - or how frequently - is immaterial. If the password is known, then you are already pwned.

      Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen - except that in the case of passwords, you could be locking the barn with bandits already inside ready to break security all over again.

      You efforts are much more profitably employed in protecting your passwords to begin with.

    2. Re:Annoying by TheRaven64 · · Score: 5, Insightful

      Password rotation is intended to prevent against offline attacks. If someone who grabs a copy of your password db can break the hashes in 30 days, then rotating passwords every 30 days is a good defence: by the time someone has found a password, it won't be valid anymore. The problem is that it's a threat model that doesn't really make sense for most organisations.

      --
      I am TheRaven on Soylent News
    3. Re:Annoying by minstrelmike · · Score: 2

      Since you can't reuse a password and you're not supposed to use the same password on any other site and you should change your password often, every 60 days, then that means you need a shitload of distinct passwords.

      Oh yeah. And don't write any of them down either.

  2. Wrong? by Anonymous Coward · · Score: 4, Interesting

    "Frequent password changes lock them out. "
    I was under the understanding the static passwords were an issue because they are far easier to brute force in a long term campaign, as well as a couple other reasons...

    1. Re:Wrong? by beelsebob · · Score: 5, Insightful

      Right, and as this article covers, that's not true. In practice, passwords that don't have to be changed regularly are much stronger, because users are willing to chose a secure password and remember it long term, rather than when they have to change it regularly, they inevitably choose pass0001, and then when they have to change it, chose pass0002, and then pass0003 etc.

  3. Finally! by mcmonkey · · Score: 5, Interesting

    Policies that require frequent password changes lead me to:
    - pick easy to remember (and therefor easy to guess) passwords
    - restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
    - Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
    - Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.

    Frequently changing passwords exclude adherence to most other security good practices.

    1. Re:Finally! by OzPeter · · Score: 3, Interesting

      - Write down passwords.

      I'm not so sold on the evils of writing passwords down as it requires the Evil Actor to have physical access in order to exploit it. And as we all know, once you have physical access it is pretty well game over for security in general.

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:Finally! by Bongo · · Score: 3, Insightful

      This is all true but password changes do reveal password compromises.

      And having compromised tomat001 they can go straight onto guessing tomat002.

      Really, why don't banks force everyone to change the PIN on their cards every month?

    3. Re:Finally! by Bongo · · Score: 5, Insightful

      That can be a problem in a corporate environment. I can't tell you how many times I've found a password written on a Post-It note that got taped to the monitor or underneath the keyboard. If the written password was inside a locked overhead cabinet or a wallet that someone carried, access to the network becomes a lot more difficult. Never mind that many Fortune 500 companies have policies against writing passwords down in the first place.

      I wonder how people would behave if the official policy was to write it down and put it in your wallet.

      Most people have to write down their passwords, there is just no way to remember lots of unique passwords. But if policy is "don't write it down", that's like making it policy "don't breathe", and then people will naturally say, gee this policy is idiotic, we'll just have to ignore it. Result is you're training people to ignore your advice.

      If we want people to follow the advice, we have to give reasonable advice that's practical to follow. There's still too much of this, "it's the dumb user", attitude.

    4. Re:Finally! by Ravaldy · · Score: 2

      The 4 digit code would be very weak against brute forcing if you had the hashed data in front of you but when you have to use their interface to attempt a code and you have only 3 chances, good luck. Additionally the fraud protection systems used by most decent banks will flag your purchase or limit your cash withdrawals. Additionally they are on camera when they do it.

    5. Re:Finally! by Ken+D · · Score: 2

      "he should have remembered his password"

      Why? I've got 140 username / passwords in one password vault, and I've got more in another one. Over 7 different PINs or passwords that are work related.

      There is a limit to the number of PINs and passwords that you can remember, especially when the restrictions prevent you from coming up with a password that you might possibly be able to remember. And that's before you have password expiration policies kick in.

      BTW who's the moron who let's the policy expire passwords on Saturdays, when you need to change the password while you are sitting in front of a computer? It's always fun when mobile email access goes away during a crisis because of the no notice password expired event.

  4. As with most things... by The-Ixian · · Score: 2

    The best practice lies somewhere in the middle. Change them too frequently or infrequently and security may be decreased for different reasons.

    (This also depends on your definition of "frequently")

    I *believe* that a password change policy is necessary. However, I don't think you need to change your password every couple of months. I think once a year is good as long as you are not using that password elsewhere and that it is 12 or more characters (don't worry about the numbers, symbols, etc. Just the length is important... again, with caveats pertaining to how the password is entered, stored, transmitted, etc)

    --
    My eyes reflect the stars and a smile lights up my face.
  5. when you have to change password frequently by Kkloe · · Score: 3, Insightful

    last password: Spring01
    new password: Spring02

    mora than 2 password to change now and then, advice from seniors, put them on a txt-file on the desktop

  6. 2016 best practice? by sirber · · Score: 3, Interesting

    Use an offline password manager that generate random strong passwords, like keepass.

    --
    Be or ben't
  7. Legal requirements for businesses by h4ck7h3p14n37 · · Score: 2

    Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.

    Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".

    1. Re:Legal requirements for businesses by bravecanadian · · Score: 2

      Some of these questionable policies are driven by business regulations and auditors. If you're going through a PCI or Sarbanes-Oxley certification process you're going to have to get all of those checkboxes marked on the auditors' spreadsheets, whether or not they make sense.

      Good luck trying to get the auditor to explain why you need to change your passwords every 90 days, in my experience they can't defend their requirements and simply say things like it's "best practice".

      It is only to limit how long a compromised password can be used without being noticed.

  8. Study from 2010 is likely worthless... by geekmux · · Score: 2

    ...for one main reason. Can anyone tell me how the insider threat risk has changed in the last 6 years?

    Take a look at the last few major hacks within corporations and social media networks. These haven't been minor breaches where a little bit of data was taken. No, we're hearing about millions of accounts leaked, and terabytes of data stolen, with Sony being a prime example of an inside job.

    The entire point here is frequent password changes DOES have a purpose; to mitigate the risk and damage of internal attacks, as outlined in TFS. If the insider threat risk has changed significantly in the last half decade, then the advice to change passwords often IS the more valid one.

    And as the Ashley Madison analysis revealed, it really doesn't fucking matter how often we tell users to change their passwords when they continue to pick horrible ones that require little more than a guess to "crack". Sadly, this trend has not changed in the last few decades of humans typing in passwords into computers. This is probably the strongest argument to remove the concept of human-generated passwords altogether, and go with some form of biometric-enhanced authentication.

  9. Biometrics are stupid by HBI · · Score: 2

    If it's going to be rendered as a hash anyway, what's the difference between that and a bad password?

    Why invest in expensive hardware that will be circumvented anyway? Six months after any technology is mandated, someone finds a workaround and the hardware is useless, whether via writing around the edge with a Sharpie or using a 3d printed eyeball.

    Your insistence on complete security is unattainable anyway. People remain people no matter what we do. Modern thinking on this is "assumed breach". Protect what is important, use automation to make the rest irrelevant.

    --
    HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
  10. Re:The mandate to change passwords every three mon by BeerCat · · Score: 2

    And yet oddly enough, few question the Microsoft default setting of 42 days

    Maybe that was to give you a week to remember to reboot the machine before being locked out, as Win95 and early Win98 would only manage an uptime of 49.7 days before becoming unresponsive

    https://sites.google.com/site/...

    (The mouse pointer would move, but no click, double-click or right click actions would work)

    --
    "She's furniture with a pulse"
  11. Well.. by wbr1 · · Score: 2

    I guess I am a hipster. I was failing to reset my passwords before it was cool.

    --
    Silence is a state of mime.
  12. Re:The mandate to change passwords every three mon by Opportunist · · Score: 5, Insightful

    It's the bullet point that is easy to implement that pushes your ITSM score upwards. Changing it every 60 days is B+, changing it every 30 days is A+, hey, if they got another + for it they'd have you change it ever 30 minutes. It's a cheap way to "improve" your security score because it requires no work whatsoever from your security management. Servers come with that option built in.

    And while we're at it, same shit with "2 numbers and 3 special characters and at least 30 characters long...". Same bullshit. The longer and more complex the passphrase, the more "+" in your security rating. Why? Doesn't matter. It gives you a better security score. You are winner.

    Management by numbers at its finest.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Special character requirement by crow · · Score: 4, Insightful

    I have several passwords that require a "special" character. I've found it frustrating on the occasions when I need to enter these on my phone, having to switch to the symbols to enter my password. Now if a password requires a special character, I use one that is part of the default keyboard, which limits it to using a period.

    Special character requirements might be fine when using a physical keyboard, but mobile devices change how people will use them.

  14. password length by Anonymous Coward · · Score: 2, Insightful

    ... not using that password elsewhere and that it is 12 or more characters

    Indeed. It is not the number of possible characters, C, from which the password is created, but the number of characters, N, that the password uses: The number of possible combinations is C^N which is polynomial in C, but exponential in N. (Thus, increases much faster with N than with C.) Adding a few "special" characters doesn't do nearly as much as adding length. That doesn't even really prevent dictionary attacks as most of the time the user only adds a 0, 1 or ! suffix to a simple word-password.

    Per XKCD, use your own easily remembered/typed pass phrase (but not "batteryhorsestaple"!) Damn the sites that insist on using a number and special character but limit you to 6 or 8 characters. You can add a meaningful UC letter, number and special character if they insist: "MySisterHas5ReallyBrattyKids!"

  15. Re:Consider the Human Factor. by WheezyJoe · · Score: 2

    I encourage users to make up passwords based on some useless obsolete memory occupying a permanent place in their brains. I tell them to start with the name of their childhood dog, that's easy, but then add onto that the entire phone number for their best friend growing up.... the one you'd dial 12 times a day? that's 10 digits you can always recall, occupying some space in your head that you otherwise don't have any use for. Tag that onto your dog's name and you have a memorized 18-digit password. Your head is full of this stuff. An old gym locker combination. An weird nickname you used to call someone. The punchline from a comedy bit you heard when you were 11. There's actually a lot of defunct, untraceable fodder permanently stuck in your head you can use to construct a decent password that you couldn't forget it you wanted to.

    --
    Take it easy, Charlie, I've got an Angle...
  16. Can't password expiration be based on complexity? by CQDX · · Score: 5, Interesting

    Every company I've worked for forced us to change passwords regardless of complexity. So I, and probably everyone else, used a simple phrase with a number to increment. I would have liked it if I picked a long, complex, hard to crack password that I'd be rewarded with a longer period before requiring to change my password. Would this make sense in practice?

  17. So what you're saying is.... by gerald.edward.butler · · Score: 2

    Length, not size matters. Got it.

  18. Re:The mandate to change passwords every three mon by Opportunist · · Score: 2

    Yup. Such policies lead to very silly behaviour patterns. The oddest one by some margin was a coworker whose first way every morning was to the IT-Department to pick up his password of the day (i.e. "i forgot my password and need a new one"), take it with him, use it, deposit the print in the shredder on his way to lunch, come back to retrieve a new password, use it, dump it in the shredder on his way home.

    Without fail for years. IT had his password ready in the morning at 8 and after lunch at 12:30 (he was very punctual).

    That works for one person. Now try for a few thousands.

    The point is here, though, that this is one coping strategy for insane password requirements. And yes, it is possible to do a sensible security strategy. That may take money to implement, though.

    Like card+code (similar to ATM). Such systems exist for computer login procedures, too. This can double as a door access system, too, providing you not only with a control for computer access but also physical access to your premises.

    If you shy away from expenses, at least give your people something to work with. It's of course easy for a CISO to require his people to use insanely complex passwords, not note them down and change them every other day. But that's blameshifting, that's simply offloading his work onto those who he should be working for.

    And yes, writing a password down is not the worst thing you could do. It's actually quite sensible. As long as you keep this password with you. Put it in your wallet. That's ok. You DO notice when you lose your wallet, and if it is stolen or lost, the average thief will not know what to do with a post it sticking to your wallet with "6'nuKdarw" written onto it.

    If you want to be sneaky, make your password part of a grocery list and tack that to your wallet. If everything fails, nobody would think that "1/4lbButter" is supposed to be a password.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  19. Re:The mandate to change passwords every three mon by chill · · Score: 2

    A password written down on a sticky note can't be cracked remotely. You have to be physically present in the room to have a shot. http://www.imdb.com/title/tt0086567/?ref_=nv_sr_1

    If the password is sufficiently complex, and the system uses properly salted hashes, then it is infeasible to crack remotely via brute-forcing the password database. Simple passwords are susceptible to brute force cracking.

    A better solution is to use both. Write down the complicated password, but append or prepend a memorized PIN. That way, if the written component is compromised, the PIN still has to be guessed.

    --
    Learning HOW to think is more important than learning WHAT to think.
  20. Re:The mandate to change passwords every three mon by mysticgoat · · Score: 2

    Passwords in wallets:

    Carry a business card (not your own) and steg the password on its back using some variant of the following:

    "Ben O. Aronsen: 237 Smith Place #12 Roxbury Vt 05669 ---Sally has phone number". This stegs the password "237SP#12RVt05669" for a Bank Of America account.

    Like the Purloined Letter, the password hides in plain sight. Ain't stegging wunnerful?

  21. Honey post-its? by TiggertheMad · · Score: 2

    I like to write down fake passwords on post-its and leave them laying around for would be hackers to find. Most people probably aren't that cunning though.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  22. it's just wacko nuts out there by swschrad · · Score: 2

    lots of outfits have wildly inconsistent rules, change periods, and prohibition types on passwords. I ought to just be able to set time to expire as well as changing everything to "asspword", and be done with it.

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?