33

After reading some topics on here about password expiration, and also after reading this comment, a question arose in my mind: if we apply password expiration for the safety of users, should our door locks' keys also expire?

By door lock, I mean any physical restriction access we might have, e.g., lock(s) on the server room door, on the company's building entries (including maybe the backdoor for firefighters or so), vaults, etc.

For physical key-based door locks, this would mean issuing a new metal key every X months/days/whatever, get the old key back, and provide the new key to users (assuming they still are allowed to open the door). Sounds pretty heavy and complex, but it might help against copied keys or so.

For electronic-based door locks, this would mean reissuing new passwords/key accesses so the RFID/whatever card would need an upgrade with the new access key. Sounds lighter to do, even though it still requires all employees that are allowed access to do the upgrade one way or another. Here, I assume the electronic card holds a "session token" somehow, not a never-changing user ID that the lock would compare to a database of allowed users (in such a case, the user ID itself on both card and DB would need to be rotated).

So, is such a policy applied in some companies, standards, etc., or is it just a dumb idea I had?


Edit:

IMO, it indeed seems like quite a heavy process (more something you do after you know a key has been compromised), but maybe you are aware of high-risk companies or specific companies that do such rotation? Then, for what reasons (if both are not confidential!)?

jwodder
  • 166
  • 1
  • 6
Xenos
  • 1,331
  • 8
  • 16
  • 6
    w/r/t electronic locks, if each user has their own unique keycard/keycode/etc, you simply disable a given user's credentials in the system upon revoking their access -- doesn't matter if they made copies, shared it with friends, or anything, since the credentials themselves are invalidated, they won't work... though with keycodes/PINs, it's possible a valid user could have shared theirs with a now-revoked user, so periodic rotation isn't the worst idea. – Doktor J Nov 21 '19 at 21:07
  • 8
    If users have to rub their heads and sing a ridiculous song, should we also make them jump on one foot? – R.. GitHub STOP HELPING ICE Nov 22 '19 at 00:44
  • 19
    Password expiration is already a plenty terrible idea on it's own. No need to spread the pain and security holes to the physical world. – Gloweye Nov 22 '19 at 13:22
  • 4
    To give a reference for Gloweye's comment, [here's Bruce Schneier and NIST on why password expiration (and related practices) is outdated](https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html). – Schwern Nov 22 '19 at 22:13
  • @DoktorJ: disabling only applies to locks that are online. I've seen "interesting" dual approaches where only building doors are online and issue time-limited session tickets for individual (offline) office doors when you enter, because you can't always feasibly send a janitor to update hundreds of doors, nor retrofit data and power lines into hundreds of doors. – Ulrich Schwarz Nov 23 '19 at 18:39

8 Answers8

40

You asked, ‘if passwords should expire periodically, then should door locks expire periodically?’. Well, from a false premise you can derive any conclusion! The premise of periodic password expiration is foolish and counterproductive and damages security by imposing pointless administrivia on users for feeble defense against hypothetical attack vectors.

Of course, if you have evidence that a key has been compromised—e.g., in a photograph published by a major world newspaper—then it certainly may be prudent to change the locks, as it may be prudent to change your Facebook password after Facebook reported logging passwords in plaintext for years.

Squeamish Ossifrage
  • 2,636
  • 8
  • 17
  • 32
    _Oh, darn! I cracked the target's password, but they appear to have changed it! Hmm... What would I do if my password expired? I suppose I can try changing this 3 to a 4 and... bingo!_ – CoryCoolguy Nov 21 '19 at 19:50
  • 9
    I'm totally stealing _"administrivia"_ – Lightness Races in Orbit Nov 21 '19 at 22:11
  • 16
    Agreed. I remember when I was a student, I used a tool to extract the locally stored passwords off a computer at school. I found that my lecturer's password was `pant7mime`. I imagine that this started off as `pant0mime` but forced password changes incremented the number. The guy was the computing lecturer. – DiplomacyNotWar Nov 22 '19 at 01:16
  • 1
    I don't like this answer because it assumes the question is a logical statement. I think the spirit of the question is not a logical if/then statement, but rather associating two similar, but different concepts. This is often a very good way to gain knew knowledge. The two concepts are similar enough that it's a good question, though honestly I don't think many people in this forum are qualified to answer about physical security risks, likely myself included. – Steve Sether Nov 24 '19 at 00:06
  • In a high security context, it might make sense to regularly expire physical keys. But this is also what MFA/2FA is for - it's much harder to fake a retina scan AND an electronic door key than just the door key, for instance, and you could even add a PIN number - so access is then via something you _have_ (card), something you _are_ (retina/thumbprint), and something you _know_ (pin). But if you're not a data centre, probably just two factors (2FA) is enough. – Brian C Nov 24 '19 at 08:09
  • In multiple high security environments I worked in, physical keys are used for safety controls, not security controls (like power locks on a tool) and must remain in the lock to function. Combination locks are used for the security controls; the combination is changed annually or when someone known to know the combination leaves the organization. http://fedsafes.com/fedsafes-locks/x-10-locks/ shows a typical high security combination lock. These locks are combined with another access control like a badge reader, so the combination locks opens the facility, and the reader used while open. – Randall Nov 24 '19 at 16:01
  • Then, how do you manage [such unoticed lock compromission](https://www.youtube.com/watch?v=AayXf5aRFTI&t=32m33s) ? Regular change of locks would drop that (literally!) backdoor (no matter whether you leave the fake lock in place, or re-put the original lock once you copied the key). – Xenos Nov 25 '19 at 13:51
38

Password rotation policies are in place to reduce specific risks which allow an attacker to get (and use) the user’s password. These risks are password reuse, credential phishing or other forms of social attacks to get the password, compromise of a server and thus access to the hashed passwords or brute forcing.

None of these risks really apply for physical locks in the same severity as for passwords, i.e. there is no reuse of the same (strong) key for other places, no remote credential stealing using phishing, no common compromise of a central server to access all the keys and no practical brute force attacks.

Loss or stealing a key is still possible but much different from a phished key since the person is no longer in access of the key. Cloning of a key requires temporary physical access to the key and thus is much harder to go undetected. And in all cases the use of the key requires physical access to the specific lock and cannot be done from remote or from somewhere in the local network.

In other words: The risks with physical keys are different and the usefulness of key rotation is much less than with password. Additionally the costs of such risk mitigation is different: Not only is key rotation much less useful with physical locks but is far more expensive to implement, since locks would have to replaced and keys have to be physically distributed.

Therefore the risks with physical keys are best contained in different ways, like having hard to clone keys or having cameras on the most sensitive locks to monitor who is opening the lock. Moreover physical locks and keys might have additional risks which passwords don't have, like being vulnerable to (often easy) lock picking without the need of the original key. Rotation would not really protect against these new risks anyway.

Giacomo1968
  • 1,185
  • 5
  • 16
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 21
    Keys can be copied from a photo. With modern cameras, such photos can be taken at a distance. Someone that might be targeted should certainly employ security procedures to ensure that keys are never accessible, nor viewable to non-authorized persons. – vidarlo Nov 21 '19 at 10:28
  • I disagree: key reuse exists (tho it's poor locks usually, but one can open other people mailbox with their own mailbox key for instance), phising exists "my key doesn't work, may you handle yours so I can try?", central server compromise exists (steal lock manufacturer sell+engineering DBs), brute force attack exists (see DeviantOllam "Mastering Master Keys"). Cloning key is undetected (see "copied key" link in the question). I only agree for the last paragraph. – Xenos Nov 21 '19 at 10:28
  • 3
    @Xenos: I've edited my answer slightly to make it not that absolut that the same risks don't apply at all - but they don't apply in the same severity as with passwords. Yes, phishing exists but I've explicitly talked about **remote** phishing. And yes, weak keys and locks exist where the same key might match multiple locks but this is not really the same as password reuse but more the same as weak passwords. – Steffen Ullrich Nov 21 '19 at 10:40
  • @SteffenUllrich I think the bigger issue is the *cost* of checking physical locks. It's expensive, and hard. Checking virtual locks is cheap and trivially possible to automate. – vidarlo Nov 21 '19 at 12:44
  • 1
    @vidarlo: I've updated the answer to include that not only the usefulness of rotation is less with physical keys but also the costs of rotation are higher - which together makes it better to use other forms of risk mitigation. – Steffen Ullrich Nov 21 '19 at 13:01
  • I'd argue that there's different risks with physical locks that warrant changing locks on a semi-regular basis. The first being that keys are incredibly easy to copy, and with turnover being what it is, it's likely you'll have keys in the possession of people that haven't been employed by the company for years. That's one of the reasons many companies use HID devices instead of physical locks and keys. – Steve Sether Nov 21 '19 at 18:42
  • For example, at my last job I had a physical key to the server room, which was a backup to the HID card. Just before I left there was a significant amount of turnover, and literally nobody even knew I had the key. Of course I turned the key in to a colleague before I left. But it would have been just as easy for this to have been forgotten about. – Steve Sether Nov 21 '19 at 18:57
  • Regarding what @vidarlo said, I've never seen or done a PoC, but I'm fairly confident you could automate photo to key in under 10 minutes turnaround time, with portable gear. It would just take some CV to identify the key, match the blank type, and align it to a template, then a mini CNC mill or laser cutter to cut it from a suitable metal or plastic blank. – R.. GitHub STOP HELPING ICE Nov 22 '19 at 00:49
  • 1
    One more aspect is the ease of replacing credentials and the disruption it causes if it fails. Changing a password can be completely automated and require low effort on all parties (both user and administrators) to do that. The disruption caused from a forgotten password is also low - it may require a call to the helpdesk (or equivalent) but it's not a big deal and can be handled within minutes. For comparison, changing *everybody's* key to the office requires high effort - the administrator has to meet every user. Logistics might make it hard - somebody is out sick, for example. – VLAZ Nov 22 '19 at 08:31
  • 1
    Moreover, the disruption caused from somebody being locked out is high - they might be out in the cold/rain and wait until whoever is responsible for the keys drives in to unlock the door for them. So, somebody being locked out of a computer - 5-10 minutes lost and they can drink coffee in the kitchen or something - this can be fixed remotely. Somebody being locked out their office - likely to involve a lot more time and it *has* to be handled in person. – VLAZ Nov 22 '19 at 08:31
  • 4
    I would disagree that password rotation mitigates any of these problems. Passwords are rotated in a matter of months. So even if an attacker just has a week of access, that's usually more than enough to establish a more permanent way of access. And further, it reduces the complexity of passwords user's choose. `Winter2019` and `November2019` are really hot password candidates right now. –  Nov 22 '19 at 13:21
  • "Yes, phishing exists but I've explicitly talked about remote phishing" I dunno. I could sort of picture a scammer emailing people with "Hello, this is company security. We need you to send us a picture of your company keys so that we can verify that you've been issued the correct keys." – nick012000 Nov 24 '19 at 14:38
8

In some places, apartment owners change locks after renting out the apartment if they don't have a particular trust with the tenants. (I seem to recall that with some kinds of mechanical locks it's possible to change the matching key without replacing the entire lock—not by yourself though, you call a specialist mechanic for that.)

And afaik hotels these days routinely change ‘keys’ that open electronic locks, every time a guest checks out. (Not sure about the mechanics: either info on the key card and lock is changed, or correspondence of RFID cards to the rooms.)

You could also consider storage lockers at train stations and such: they're sometimes set up with combination locks and you choose the combination when closing the compartment—even with mechanical combination locks.

The anticipated threat is the same in the three cases: people who had access to the lock but shouldn't anymore. This corresponds e.g. to changing passwords for shared accounts after an employee quits.

aaa
  • 181
  • 3
  • 2
    This is a good answer because it uses real threats from the physical security world, rather than drawing upon analogies from the software world. This is probably a bad question for a group of people focused in on computing rather than physical security. – Steve Sether Nov 22 '19 at 15:23
2

Do companies still use individually keyed locks??? I have a card that opens any doors I have access to--if I'm fired, someone will have to let me out the door because my key will already be dead, but everyone else's will still work. It also lets me log into any computer at work without a password (just a PIN) with public key based encryption where the private key never leaves my badge.

The combination of badge and pin is pretty hard to beat, works for both physical and computer security and requires two factors. You could accomplish the same with a phone/thumbprint/pin (2-3 factor) if you didn't want to pay for badge based security.

If you still have keyed locks then YES, Change them, OFTEN.

By changing the keys on doors all the time, you are taking the WORST part of passwords and applying it to another system.

What I'd really rather do is apply identity/encryption based technology to all computer logins AND physical locks by accessing everything through the same public encryption key where the private key safely resides in your physical possession and cannot be copied from that physical medium.

Bill K
  • 407
  • 2
  • 6
  • Seeing [this](https://www.youtube.com/watch?v=AayXf5aRFTI&t=32m33s), yes, companies do have keyed locks here and there ;) – Xenos Nov 25 '19 at 13:41
2

The risks: Someone lost the key. If there are more than one person holding some key, usually the rule 80/20 applies: 80% of the time the door is unlocked by 20% of the people. One can lose the key and not notice for long time. He can even forget that he holds a key to that particular door.

Someone obtained the key legitimatelly, didn't get accounted for and didn't returned the key when he had to.

etc, etc, ... actually, there is a lot of ways to mismanage a physical key.

So, depending on the stakes, changing the door lock may be a good security practice.

fraxinus
  • 3,425
  • 5
  • 20
  • I like this answer as well because it concentrates on the real risks of physical keys, rather than what essentially inspired the question, password rotation, which has some crossover concepts, but not entirely so. – Steve Sether Nov 24 '19 at 00:10
1

There is no direct relation between the 2;

If we follow a risk approach so we could find some relation based on the risk, we would have to do something like this:

What would be the probability of having someone testing multiple keys or any type of assessment in your door / lock every day? Does it has any known vulnerability? What is the impact if someone manages to open the door?

From my perspective is that the thief will always go in using the path of least resistance. So risking himself to be exposed by taking several hours testing your key / door is not viable.

But if you are prone to that risk and the impact is high then you should add extra security controls.

If the changing the lock is the most efficient I think not.

There are probably many other security controls that you can associate to you physical door that minimizes your risk with less cost.

For the password if you do the same work you will see that enforcing the password change from time to time (depending on your risk) is one of the cheapest security controls to enforce safety on your data.

Business always have to do a relation on the cost of security control that they wish to implement vs efficiency. It does not make sense to spend lots of money in door locks when you still have windows to enter. Or spend more in the door lock than what you have inside the house.

A balance between both must be meet, it will be different from business to business.

Hugo
  • 1,701
  • 11
  • 12
1

The kinds of attacks that makes regular password changing a good idea become a lot more unfeasable when applied to real locks. Infact the only comparable attack of this nature that is feasable is stealing said key and using it as soon as possible.

Now sure, you could make a copy of said key, but that takes time and money, and every moment you spend without the key and owner being reunited has the risk of the owner noticing the key is missing, making it much harder to diffuse the situation without getting caught. You also cannot brute force a lock by trying to use hundreds of thousands of keys as that would take forever, look very conspicuous and will eventually get you caught. Using lockpicks would be much more practical here but it would still look suspicious and changing the locks isn't going to help here unless the attacker has picked this lock before.

There's also the fact that changing passwords cost nothing, whereas replacing locks takes time and materials, which end up comparatively costly.

520
  • 723
  • 3
  • 5
  • You don't watch enough TV spy movies. You don't need to take the key, just make an imprint on a bar of soap. – James Jenkins Nov 22 '19 at 14:15
  • 1
    "Changing passwords cost nothing"? Well, aside from basically forcing everyone to use "password7" anyway... – Daniel McLaury Nov 22 '19 at 23:18
  • @DanielMcLaury with an overzealous password policy, sure. I didn't make that point with that specific situation in mind :) – 520 Nov 25 '19 at 10:02
1

If your door lock is digital and opens by a number combination, then indeed you might want to think about it.

When you go past all the nonsense and blabla, the actual reason for periodic changes of passwords is very simple: We don't always notice that a password was compromised, and we're lazy to keep track of the various hints and anomaly detection is hard and has many false positives and... it's just easier to force people to change their passwords from time to time.

Physical entry with physical keys doesn't have these properties. A key can get lost or stolen, but is only rarely copied unnoticed. It is much, much more likely that an attacker has a password but nobody knows that he does than it is that he has a key nobody has noticed as missing (excluding the case the he stole it just before the break-in, which isn't covered by periodic changes).

For physical keys, it is much more feasable to change if there is evidence of compromise, instead of periodical.

Tom
  • 10,124
  • 18
  • 51
  • What's the difference then between digital-pin locks and regular physical keyed locks? Both have pins, either digital or physical (see the inner of a lock or the linked video). Physical locks seem to have the same problem (undetected compromission) than passwords as key could have been copied from a photo, or [cylinder (lock) could have been replaced](https://www.youtube.com/watch?v=AayXf5aRFTI&t=32m33s) in an unnoticed manner. Btw, you don't have any key in your house without knowing which lock it opens? This means a lock somewhere has an "unoticed" key that opens it ;) – Xenos Nov 25 '19 at 13:46
  • The difference is that for physical keys, the **usual** case is that it gets lost, while for digital keys they are typically copied. – Tom Nov 25 '19 at 15:07