Recently this audit summary from US local governments and courts came up in the security channel for a client. Specifically item 2.1 which recommends that users are routinely asked to change their passwords. Specifically it says:
Without requiring passwords to be periodically changed, the likelihood that accounts could be compromised and used by unauthorized individuals to gain access to sensitive information is increased.
Ensure passwords are periodically changed to prevent unauthorized access to computers and data
On the face of it, this sounds like a good idea. If there is a password breach, then making sure that you’re users are regularly rotating their passwords should help ensure that any compromised passwords are periodically changed. No more worries about those compromised passwords…right?
What Forcing Password Changes Really Does
By nature, humans are lazy. That’s why we reuse passwords and why
password is consistently a common password found in breaches. When you force password changes on users regularly, they just get lazier.
password1 then becomes
password123, both of which are on the list above of regularly compromised passwords.
That brings us to this 2010 study that examines the utility of getting people to change their passwords. It finds…that users just transform their passwords in predictable ways I highlighted above. The study shows that around 41% of passwords that were regularly changed would be crackable with the techniques shown in their study. It shows that 17% of passwords would be crackable in 5 guesses.
So forcing password recycling seems like a good idea, but does little to improve security.
What Should You Do Instead?
Let’s talk about some of the things you should be doing with your passwords to keep them strong and secure according to NIST Guidelines.
First, and this isn’t specifically in the guidelines, you should be using a password manager like 1Password or Bitwarden. One of the biggest reasons users choose insecure passwords is that they try to remember them. Human memory isn’t great for random strings of text, so they use insecure password practices like including their username or the site name in their password. By having a password manager generate your passwords for you, you can be more sure that you’re getting truly random unique passwords.
Second, when you’re accepting user passwords check them against data breach databases and reject passwords that match these databases. Password databases from breaches are used regularly in attacks that try to guess passwords so just don’t allow them.
Third, use two-factor (2FA) authentication, but don’t allow SMS as a way to send SMS codes. It’s not hard to spoof SIM cards, or to use social engineering to get access to an account you shouldn’t have access to. If you’re able to do this then you have access to SMS 2FA codes. You should be using a tool like Authy to store your 2FA codes.
Fourth, lock users out of accounts and require admin intervention after 10 password attempts. I suppose it would be okay to lock someone out for a limited amount of time on the first 10 guesses, but then if you allow them to try again after 20 minutes those next 10 guesses should lock them out entirely until an admin deals with whatever is going on. The higher the risks to a breach, the more strict you should be.
Fifth, don’t allow password hints they make passwords trivial to guess. So much data is out there that someone could find out that the name of my first dog was…nope not going to tell you. Still, I’m sure I’ve said it on social media before. A good rule of thumb is that if your password has a hint that would let you guess it, it’s a bad password.
Finally, context specific items such as the username or site for the account should not be allowed as part of the password.
For IT managers, get people using a password manager and do whatever you can to ensure that people use it. Forcing them to change their passwords periodically is so much less secure than using 2FA and using proper passwords. Just stop the practice.