28

I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:

...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization... SANS.org.

Let's assume all of my users are professionals:
- They use a secure password/passphrase generator and manager for all their accounts.
- There are no sticky notes with passwords.
- There are no incremental password changes eg. admin2018, admin2019 since the passwords/passphrases are randomly generated.

Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?

BenoitBalliu1
  • 382
  • 3
  • 10
  • 6
    I guess this all started as a way to avoid certain situations like "former employee might still have access to some stuff" or "somebody might still have a password I shared with them for getting support", etc. The right way to handle those situations is to have separate accounts and never share the passwords. Changing passwords every 90 days is useless: what could be done in 90 days that couldn't be done in just one week? So IMO it's just a useless pain. – reed Apr 29 '19 at 10:38
  • 1
    I feel like your question has some specific elements that aren't answered here, but do review this existing question which provides more context on foundational password expiration issues: https://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security – PwdRsch Apr 29 '19 at 21:40
  • 1
    Personally I see advantage in changing passwords mostly around cleaning up after passwords have been shared or stored. Both should not be done but it can help to make it harder by resetting them. It might even help against accidentally disclosed or hacked passwords (if the attacker did not establish persistence that is). Having said that you might want to reduce the impact by having a long-as-possible change period. Something like 3-12 month – eckes Apr 30 '19 at 01:06
  • 1
    How are the new passwords being distributed? That is a potential hole. – Davidmh Apr 30 '19 at 11:16

2 Answers2

41

90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.

If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way. It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.

In the same time, this policy pushes the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy mandating to update the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 starting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • 14
    "Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!" – billpg Apr 29 '19 at 10:50
  • 3
    The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords. – Martin Bonner supports Monica Apr 29 '19 at 14:07
  • 3
    Unfortunately, PCI DSS compliance is still to reset every 90 days. – Baldrickk Apr 29 '19 at 15:33
  • 4
    @Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month]. – A. Hersean Apr 29 '19 at 15:52
  • 2
    (Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" https://www.ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/updating-your-approach) – armb Apr 29 '19 at 16:22
  • 1
    @A.Hersean what do you think I do? ;) – Baldrickk Apr 29 '19 at 17:01
  • I wonder how much this matters if everyone is using password managers, though. Most of the "don't enforce password expiration" is because then users will use sticky notes or stupid passwords, but if your policy is that everyone should use password managers, you just need to tell them to generate a new password 4 times a year. What I would look for is a way to integrate the password manager with the actual systems, so that changing the password is just hitting a button, or even automatic. If you can manage that, you can have passwords that change once a day, and nobody would care. – user3757614 Apr 29 '19 at 20:40
  • but for zero gain, @user3757614 - why would you want to have a password change happen to begin with, except to satisfy outdated and mislead policy makers? – Aganju Apr 29 '19 at 20:48
  • 2
    Leaked passwords may take a significant amount of time to get to a usable state to an attacker. Maybe it goes through multiple hands before someone realizes what they have, or maybe the source is a thrown away hard drive with years-old data, or maybe the attacker got the passwords to sell, and it takes a while to find a buyer. Being able to put a definite use-by date on stolen data can be useful, it's just that the downsides from sticky notes are usually too high for this to be worth it. – user3757614 Apr 29 '19 at 21:08
  • @user3757614 I use pass - https://www.passwordstore.org/. Since it is based on git, the passwords all have commit dates. I can sort the passwords by length and/or age. The oldest and shortest are good candidates for resets. I don't know what to think about mandatory password resets as imposed by organizations on individuals but user initiated password reset is in my opinion a very good idea. Password managers should encourage this. – emory Apr 29 '19 at 22:08
4

Yes, there is still a benefit to changing passwords every 90 days. Forcing regular changes provides some protection against the unauthorized use of passwords or limits the duration of unauthorized use. There are better alternatives for achieving these same goals (e.g. detecting abnormal use, risk-based authentication, etc.), but you didn't ask to compare password expiration to these alternatives.

Using strong, randomly generated passwords does reduce the risk of password abuse by making it unlikely the associated accounts will be breached due to password guessing, credential stuffing, or password cracking attacks. However, there still remain other avenues for an attacker to obtain user passwords, including malware, authentication server compromise, password manager flaws, or the user purposefully sharing their password with others. The strength and uniqueness of the password doesn't protect against these attacks. A. Hersean says to focus on fixing these leaks, which is good advice, but it is easier said than done.

If an attacker does compromise a user password they will have limited time to use that password if an expiration policy is in place. During that window of opportunity they may be able to complete any malicious actions they intend, or they might be able to escalate their attack and create an ongoing backdoor for access that does not rely on the original user's password. These situations don't really benefit from password expiration. But there are other situations where an attacker isn't able to escalate their attack and needs continued use of the password to maintain access. These are the situations where password expiration helps.

What is hard to quantify is how rare these situations are and in how many of those situations would password expiration either prevent or reduce the duration of attacks. So it becomes a rough cost-benefit analysis where you'd need to understand the costs of maintaining a password expiration policy. If you can completely automate regular password updates (some password managers might make this possible) and it is transparent to users then it seems like it provides value, even if the benefits are rare. If you can't automate password changes then it might not provide enough benefit to justify the time costs to users. In this case I would focus on alternatives to password expiration that can help detect and prevent password compromise.

Additionally, if you can completely automate regular password changes you should consider enforcing changes that take place more frequently than once every 90 days. This should increase the benefits of expiration by further reducing the risk of password compromises.

PwdRsch
  • 8,341
  • 1
  • 28
  • 35
  • 9
    "Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre. – l0b0 Apr 30 '19 at 01:16
  • 3
    @l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain. – PwdRsch Apr 30 '19 at 05:20
  • 2
    Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are *extremely badly prepared* for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester. – l0b0 Apr 30 '19 at 06:24
  • 1
    Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data. – PwdRsch Apr 30 '19 at 14:50
  • 1
    Privileged access != root access. Having access to an HR web app *is* privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world. – l0b0 Apr 30 '19 at 20:13