Slashdot Mirror
NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com)
An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology's digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: "Remove periodic password change requirements." There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.
Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.
The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?
My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.
My current position has a 6 month expiry. I use a much stronger password.
This is common sense to me.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
If you have a really well-connected single sign on environment in place, standardizing on a single password that you have to change periodically makes sense. Where it breaks down is when you have a million passwords scattered across different services (internal or external.) If you have to change those over and over, you end up recycling passwords or writing them down, or storing them in a password vault tool (which is a bad idea given how many vulnerabilities have come to light on those.)
In fact, with SSO systems like Google or Azure AD, it makes sense to protect that single key much more carefully than an individual password. For example, if someone guessed my corporate account's password or found a way to steal information from Microsoft without them knowing (or telling anyone,) my Azure AD account has a lot of access -- off the top of my head, from the naked Internet I can access my Exchange email, OneDrive, all the Azure resources I have control over, most of my HR vital data, access to Internet-facing applications, access to my MSDN and volume licensing stuff from Microsoft, and the list goes on. I'm OK with changing that password pretty frequently. If I had 50 of them to remember, not so much.
The fact that the standards are being updated to reflect that it's much harder to steal passwords from properly secured systems these days and crack them offline is good though. Corporate security types tend to follow these rules verbatim regardless of whether they make operational sense.
Thank goodness. Frequent changes entrench bad habits and culture. People are constantly getting locked out, forgetting password. Your culture becomes one of frequent password resets with idiotic questions to verify identity. These questions are usually trivially guessable/facebookable/googleable especially since people forget these all the time too. Many helpdesks will reset passwords via phone without verifying identity since they do it constantly with frustrated resentful users. Make passwords durable. Changing it without knowing the old one should be a big difficult deal.
Man, you really need that seminar!