When you’re a security pro, there are a lot of conversations you’re accustomed to having over and over. There’s the “Yes, we should have the business review and approve security policy” conversation. The classic “No, we can’t just give everyone all access to the share to make your life easier.”
There are some conversations, however, that most of us feel are already said and done. With all the breaches in the headlines that talk about stolen passwords, you would think the notion that passwords must be changed regularly is a pretty settled issue. I don’t expect someone to argue when I say “passwords should be changed regularly.”
If you’re planning to go to the UK any time soon, you may find yourself in the position of trying to argue about the need to change passwords all over again. Recently the CESG, the Communications-Electronics Security Group – a group within the UK Government Communications Headquarters (GCHQ) – issued a new advisory titled “The problems with forcing regular password expiry.” In it they argue that the “usability costs” of password expiry result in more trouble than they’re worth. The summary of their argument is:
The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords. It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack.
Where to begin? Let’s start with where they are right. People using the same passwords for multiple accounts is a problem. People writing passwords down or user fatigue with password management as an excuse to justify weak passwords are big issues. Simple passwords get cracked more easily, and when people reuse passwords a hack on your favorite dog food delivery service means they have a password that exposes corporate data.
So, it’s not like they are completely out in left field. It’s begs the question: are these reasons enough to say we should throw out the idea of changing passwords? I bet you can guess my answer.
Not All Passwords Are Created Equal
The first thing that struck me when I started to read this advisory was that they were going to transition to advice about using multi-factor authentication or other one time, device, or contextual methods to authenticate users. As I read down to the bottom I was very surprised they didn’t.
It seemed to me that advice advocating users not to change passwords must have been some gimmick to get them to buy into stronger authentication. When I realized it wasn’t, I was pretty sure I had missed something so I went back and read it all over again.
On the second reading, the other big problem hit me. They made no real distinction about the kind of passwords they were talking about. If you limit the discussion to user passwords, then maybe there’s enough to their case to have a discussion. When you include the scope of administrative, system, service, and other types of accounts, then there‘s no discussion at all.
It seems like the context is there to limit what they say to end users, but not saying that explicitly makes this advice very dangerous. It’s entirely possible that small shops with very little dedicated IT could take this too much to heart and start engaging in some very dangerous practices.
The proliferation of passwords for websites is the source of the fatigue for remembering passwords in most cases. When breaches expose lists of passwords online, the very first piece of advice you get is: change your passwords!
The real leaders like Google, Microsoft, and Apple have all adopted a multi-factor authentication method (which every smart user should enable immediately) in order to protect their users because they know passwords alone are not enough. This is one place organizations should be careful emulating the good that consumer technology has to offer, not just anything that seems cool.
CESG captures something very real in this advisory. When the only trick administrators had in their bag to secure passwords was forcing them to be long, complex, and constantly rotating, we learned that this seemingly sound practice could lead to very bad results as CESG describes.
There is room for easing the policies on how often you change passwords for end users, but that needs to be done in concert with things like codes sent to phones to secure tricky operations like the big boys on the consumer side.
Most of all, users must be educated about the line between work and home life in technology. Changing passwords at home is a chore you can skip at your own risk. Changing passwords at work is a responsibility that is a thin line which often stands between us and the bad guys getting our organization’s data.
There are ways to copy the consumer side to advance, but take from the best – not from the rest.