Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

Password Expiration: Like Margarine and Water?

by Dr. Ari Juels on 5/29/2008
Topics: Access Policy | Authentication

We often swallow ideas that we needn't or shouldn't. Take the onetime urging of nutritionists to substitute margarine for butter in the cause of cardiovascular health. When this advice was first circulating, most margarines contained high quantities of trans fats, concoctions that have turned out to be so harmful—to the heart, among other things—that they are now banned in restaurants in NYC. (In the end, butter and margarine's health effects seem to hinge on complicated issues of production and raw materials.) Similar dogma applies to the advice to drink eight eight-ounce glasses of water a day for overall good health. Everyone knows the advice. But no one seems to know where the 8x8 rule comes from or if it is good or bad.

So what pieces of conventional wisdom in computer security are like margarine and the 8x8 water doctrine? I'd hold forth password expiration as a prime candidate.

It's common for IT administrators to require users to change their passwords every few months. (Ninety days is a typical period.) This policy narrows the window of opportunity for an attacker to guess or uncover a user's password. What are the vectors for password discovery, though? Hashed password tables are subject to brute-force attack, but there are tools that can successfully crack a Windows password in a matter of seconds, not months. Passwords written on crib sheets are also a point of vulnerability. But will an attacker really typically wait ninety days to exploit a successful run at a Post-It note?

At the same time, password expiration is a sower of ill will. It causes users to regard computer security mainly as a nuisance. The practice also creates vulnerabilities. One of these is a heavy reliance on password reset.

Password changes often cause users to forget their passwords or become locked out of their accounts. To recover lost or forgotten passwords, users are commonly asked to answer "challenge questions" such as, "What was the name of your first pet?" These questions are none too challenging. They rank among the weakest of passwords. Help desk calls are an alternative. They are expensive, though. And how often do help desk staff challenge you to prove that you are who you claim to be? Or ask you for information available in public records, like your birth date? Abolition of password expiration wouldn't eliminate the need for password reset, of course, but might allow more attention to be paid in securing it.

It's easy for me to carp, though. I'm not an IT administrator. In the interest of learning what others think, here's a poll.

Comments
Password Expiration

Password expiration really is another tenant of IT Security that seems to do as much harm as good when it comes to end-users. It is cumbersome, distracting, and annoying to everyone involved. At the same time, you need to consider that some systems really do need password expirations.

For critical systems password expiration makes great sense. All too often a company will fire an employee but neglect to change the passwords to the VPN, firewalls, routers, file servers, etc. Even if they are supposed to change these per the security policies, these steps can easily be overlooked.

Having a password expiration can help ensure those users (terminated employees for example) will be locked out in due time. That is of course unless they log in prior to expiration and leave in a back-door (such as a dummy user account with full system access).

Bottom line is password expiration can be helpful if done on critical systems and as part of an overall security program. Pretty much like everything else related to security.

www.mbridge.com

- mbridge
What do you think are the likely origins of password expiration, both the practice itself and the standard expiration periods?

Here are some of the responses we got on our poll above...

1. The biggest advantage of password expiration that I can see is that if the password does get compromised you're limiting the time it can be used for. There's some really neat technology around that gives you a new password every minute - perhaps you should look at that :-)

2. Before the advent of rainbow tables you'd have to protect against slower computers' brute force attacks. The belief was that a suitably complex password would withstand attack for some number of months. Look at the Gold ID feature in SOM. The heritage is the old "password crack" program. In 1993 or so, we'd run it on our NIS databases at GTE and find that it couldn't brute force non-dictionary words too quickly and thus the assumption was that it would take days/weeks/months to crack a particular password. This is no longer true of course. -Rob Polansky

3. I know when it started -- just about when it got easy to network PCs. The logic is that changing the password on the account at least slows the crackers down -- that if they had your password and owned your accounts, that would change when you changed the password. The cracker would have to start again. Clearly, with keyloggers as a primary attack, changing your password hourly really isn't going to inconvenience an attacker. However, with legacy systems still in place as the backend for the vast majority of financial and other high-volume, high-sensitivity systems, changing passwords frequently is still useful. On those systems, web-based or Wintel-based attacks are not the primary concern. Forcing password changes can help identify improperly set up processes and unauthorized access. Having desktop users in an enterprise environment change passwords regularly does cost time and annoyance. However, there are internal, low-tech attacks and misuse that can be spotted with frequent password changes. Ninety days is a little long these days -- my current employer requires fewer than 60. Super users are generally 14 to 30 days, depending on the sensitivity of the system. Fob-based randomly generated passwords are simply password expiration schemes with the time between required changes extremely short.

4. It seems quite arbitrary to me. Rather like some of the other 'security tools' out there, it might have more to do with making users _feel_ that they are secure...

5. Folklore

6. Its done to limit the amount of risk that you might have through someone else knowing your password - but what it really does is make people choose passwords that are easy to remember and sequential - which once you know the sequence means you have access forever. Its really dumb

7. People tend to have the same password for multiple accounts, so forcing people to change their password reduces the likelihood that a shared password that was cracked on the user's home computer has now made the company vulnerable.

8. misguided auditors

9. I guess the origin might be that when a password gets known to others they can only use it for a specific time so damage is only done a limited time.

10. Misinformed IT administrators who think that forcing password changes will somehow make the system more secure.

11. Ultimatly, passwords exist to protect the organisation's data not the user. To that end passwords were created and set to expire to protect the organisation from data loss with little or no regard to user experience. I have seen customers attempt to apply an expiration policy to smartcards... which in itself is odd considering they see the concept of expiring their SecurID PIN codes as completely alien. A user that is forced to change their password regularly WILL employ poor practicies to recall them, either by writing them down or attempting to make them the same, or worse the same as their gmail account!

12. Password = passport Passports have expiration dates as do most other "real life" credentials.

13. Medieval Times. People changing passwords to enter a castle. That's just a fun guess.

14. Anytime someone needed to control access to a location they may have used a password. So you need to look back at the earliest times when people had locations they wanted to secure, AND had the ability to speak. Then you would need to consider when man, or woman, was smart enough to think about changing that password in order to add a layer of security. I would recommend talking with someone at a Natural History Museum for the time when this may have occurred. One guess... 250,000 years ago (start of the Home Sapiens). www.MBridge.com

- Reader Poll Responses

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication