For a long time, a good password policy has had 3 key factors: strong passwords, periodic change of passwords, and activation of Multifactor Authentication. Nowadays the value of periodic password change is questionable and many organizations, like NIST and Microsoft, find this obsolete and worthless. What will happen if periodic password change will be dropped?
Let me present a very common scenario: after a long vacation or sick leave you will return to work and will find out, that your passwords have expired or soon will be. In the worst case it is already expired, you have lost access to your workstation or important folders and files. Big red notifications on the desktop ask to turn to IT administrators. After minutes, sometimes hours, you will gain back the rights to read documents or login to the domain but have lost valuable working hours and then password change request tab prompts on your screen. Of course, you will choose the easy way out change just one letter or will add a number or special character to the end just to get it done. At the end of the day ask yourself- why does it matter? In 60 or 90 days I need to change it again, doesn’t matter how complicated or strong password I choose. It is in human nature to choose the easy way out or invest as little time possible in tasks, that are not interested or there is no personal gain nor outcome.
For years Microsoft has requested their users to change passwords every 90 days. But after analyzing user behavior and collecting data for statistics for a longer period of time, the results revealed, that in time, users will start to choose weaker combinations of passwords or perform miniature changes or add a number or character. According to Microsoft researcher Cormac Herley, the users are not lazy or stupid, but rational, and value their time and effort. He also states, that directory hacks or password brute-force attacks are not popular and valued anymore. Getting the user to give away security credentials through phishing or keylogging is much more effective, and a password’s strength is totally irrelevant when it’s stolen. For a hacker who already knows the combination, it is easy to guess the next version. According to research done by Yubico (leading seller of authentication hardware), people spend approx. 11 hours every year to change their passwords. Every company should price tag this time and think about more efficient or cheaper ways to use that time. The alternative would be to use this time for learning purposes, educating employees on how to use more secure passwords or how to recognize and avoid phishing attacks or teaching them to use password management solutions. Makes you wonder? It is up to CEO-s to decide.
In February 2020, the National Institute of Standards and Technology (NIST), released an updated version of Password Standards. Regulation SP 800-63B Section 18.104.22.168 paragraph 9 states “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.“ NIST has commented on this change as follows: “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.“
The same paragraph from Regulation SP 800-63B also recommends dropping common knowledge of requesting complex passwords, that are for example 15 characters long, requires one upper and lower case, number, special character, etc. Direct quote: “Paragraph 9 recommends against the use of composition rules (e.g., requiring lower-case, upper-case, digits, and/or special characters) for memorized secrets. These rules provide less benefit than might be expected because users tend to use predictable methods for satisfying these requirements when imposed (e.g., appending a “!” to a memorized secret when required to use a special character). The frustration they often face may also cause them to focus on minimally satisfying the requirements rather than devising a memorable but complex secret. Instead, a blacklist of common passwords prevents subscribers from choosing very common values that would be particularly vulnerable, especially to an online attack.
Composition rules also inadvertently encourage people to use the same password across multiple systems since they often result in passwords that are difficult for people to memorize.”
Before updating your password policies or digging more deeper into NIST requirements, ask yourself – what do you want to achieve? Surely you want to keep your organization as secure as possible, but applying requirements, that are hard to fulfill might give a more negative impact than the expected outcome. People do not like controls and if they don’t understand them, they will unlike them even more. Of course, they will follow the rules, but not in a way you would expect. Users start to bend the rules and take shortcuts that may grow into much bigger problems.
A well-defined and uniquely understandable password policy, that is already proven to be working or accepted by the leading Information Security Organizations, will help to explain the need for secure passwords more understandable and easier to accept. According to Microsoft Password Policy recommendations, which are introduced with Windows 10 version 1903, good password practices fall into a few broad categories:
- Resisting common attacks. This involves the choice of where users enter passwords (known and trusted devices with good malware detection, validated sites), and the choice of what password to choose (length and uniqueness).
- Containing successful attacks. Containing successful hacker attacks is about limiting exposure to a specific service or preventing that damage altogether if a user’s password gets stolen. For example, ensuring that a breach of your social networking credentials doesn’t make your bank account vulnerable, or not letting a poorly guarded account accept reset links for an important account.
- Understanding human nature. Many valid password practices fail in the face of natural human behaviors. Understanding human nature is critical because research shows that almost every rule you impose on your users will result in a weakening of password quality. Length requirements, special character requirements, and password change requirements all result in the normalization of passwords, which makes it easier for attackers to guess or crack passwords.
What NIST and Microsoft both are pointing, is that they don’t want you to start using less secure versions of passwords but to think of a new strategy and reorganize your policies according to modern attack methods. The main concern is that the risk introduced by bad password practices is greater than the risk mitigated by password expiration policies. The goal of the password system is password diversity. Microsoft has released guides for administrators and users, where is presented the mandatory requirements for passwords and for users how to choose a secure password.
- Maintain an 8-character minimum length requirement (longer isn’t necessarily better).
- Don’t require character composition requirements. For example, *&(^%$.
- Don’t require mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users to not re-use their organization passwords for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk-based multi-factor authentication challenges.
- Don’t use a password that is the same or similar to the one you use on any other website.
- Don’t use a single word, for example, password, or a commonly-used phrase like Iloveyou.
- Make passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use.
Microsoft password policy does not point out a few important recommendations that are found from NIST list.
- Change passwords only if there is evidence of compromise.
- Screen new passwords against a list of known compromised passwords.
- Skip password hints and knowledge-based security questions.
- Limit the number of failed authentication attempts.
NIST suggests administrators focus more on preventative actions. Regular check from the deep web or against a compromised password list may help to avoid attacks against your own company. Would be reasonable to create scripts, that are running periodical checks for you and create black and also white lists of passwords. If your company does not have scripting skills or opportunities, then much open-source freeware can be found on the internet, that can perform password checks for you. In my experience, 99% of compromised accounts didn’t have multi-factor authentications enabled and users were using the same passwords for their private social media accounts or for old email accounts, that they didn’t even remember having. Still, the scenario is the same, passwords have already leaked into the deep web and hackers were searching related accounts by the criteria of the user’s name.
A good practice is to use Password Management Software, which saves you from remembering these looooong and complex passwords, but as long as we have systems, that ask for frequent passwords entering or creating the need to use memorizable passwords, keep monitoring changes in accounts for anomalies. Creating alerts on events like sign-in geo locations, weird login times, new device login can lead to the discovery of potential brute force attacks. The good old slogan “use multi-factor authentication” is already worn out and quite boring to hear, but it works. Can save you a lot of time and unpleasant events.