Frequent password changes as security mythology

May 23, 2008

One of the things I see trotted out in response to potential security issues is a suggestion that we make users change their password frequently. In addition to all of the practical reasons not to do this, it's useful to ask one of the most important question in security: what risks does this protect against, and how big are they?

The concise answer is that it doesn't actually protect against any fundamental risks. What it does is limit the damage done to your systems by compromised passwords (if you are very lucky, it contains them to 'none'). And if your passwords are not getting compromised, it does nothing (except annoy users).

In other words: if your passwords are getting compromised, forcing frequent password changes is not actually solving the problem. Your real problem is that your passwords are getting compromised, and that's what you need to fix. Forcing password changes is merely a mitigation strategy, not a fundamental cure, and worse I think that it is generally an ineffective mitigation strategy.

(This feels like a terribly obvious insight now that I have actually written it out.)

Sidebar: what risks password changes protects against

Okay, I exaggerated, but not very much.

Let's start with a simpler question: what effects does someone changing their password have? (Besides causing them to write the new password down on a postit note and, if you are lucky, stick it besides their money or credit cards.)

Answer: it cuts off access to anyone else who knows their old password.

There's several risks that this protects against:

  • that their old password is compromised and hasn't been exploited yet.
  • that their old password is compromised and is being exploited, but the exploitation hasn't been detected yet.
  • that their old password will be compromised in the future using information that the attacker has already captured (the classical 'steal the hashed passwords and brute force them later' issue).

So, how big are these risks, especially when compared to the very real risks that forcing frequently password changes creates? My personal opinion is that all of these three risks are pretty low, because passwords are compromised rarely and when they are compromised they seem to be used almost immediately, usually in obvious ways.

Written on 23 May 2008.
« Combining dual identity routing and isolated interfaces
Dear applications: WEP keys are not passwords »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri May 23 00:03:39 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.