The risks of forcing frequent password changes

May 25, 2008

People can talk about the risks of not changing passwords at the drop of a hat, but they rarely talk about the risks of forcing people to go through frequent password changes. This matters a lot, because there are significant risks.

(And when people do acknowledge the risks, often it is to decry or mock the 'bad habits' that people adopt.)

The obvious problems are that people can't remember things at the drop of a hat just because you want them to, and people have trouble coming up with good passwords (especially at the drop of a hat). So people write down their new password, which is much more likely to be a weak password, because it's much easier to come up with (and remember) weak passwords than strong random ones.

But the direct, obvious problems pale next to the big one: frequent password changes train people not to take security seriously. Being made to change your password frequently is so obviously security theatre (especially if it's treated as a big deal) that it undermines everything else; when you engage in one obvious bit of security theatre, people are predisposed to assume that everything else is also security theatre.

(Remember that most people don't understand security (and probably aren't interested in doing so), and so they have to trust your judgement. But if they wind up feeling that your judgement is clearly flawed on one bit of security practice, this inevitably lessens their trust in all of your judgements.)

This leads me to a suggestion: if you are forced by higher powers to implement mandatory password changes, at least acknowledge to your users that it is a stupid idea (and ideally work with them to make it as painless as possible, for example by teaching them how to come up with one strong password that they can then vary back and forth).

(Yes, I'm aware that this may be politically infeasible.)

Comments on this page:

From 206.168.172.26 at 2008-05-25 12:06:25:

Passwords are hard to remember. They're the biggest, nastiest gaping hole still going when it comes to securing systems. From a cognitive science perspective, having to have passwords at all is a security flaw. That said, we're stuck with them.

The obvious problems you mention are real. But they might not matter so much, depending upon your threat model. Some users will write down passwords. When the written password is stored as if it were money ("It controls where your paycheck gets sent, so take care of it like it's 10 $100 bills"), that prevents misuse by both remote adversaries and dishonest coworkers. That leaves memorizability for those who don't write it down. Almost all users, if allowed to select their new passwords, will choose something memorable over something random. But with adversaries now greatly preferring sniffing & keystroke logging to cracking stolen hashes, randomness is overrated. In my real world, I'd prefer users writing down their new passwords and treating them like money, or their choosing something memorable but not trivial, to their never changing them.

Frequent password changes actually don't need to train people to look at them like they do airport security theater. Most users will pay attention to a succinct statement of who & what they're helping us protect against as the motivation. (And it has to be succinct. They have their jobs to do, and not a lot of time to spend on you, no matter whether your play will win you a Tony award or not.) While that may still be theater (story telling), it's a good kind of security theater. It avoids spreading mistrust.

Attempting to co-op any remaining distrust/disbelief can be a good bit of theater as well. You can look at it as a variation of "good cop, bad cop," with the good cop's suggestions the minimum necessary. However, as your example for that you suggest, "one strong password that can be varied back and forth." Sadly, that doesn't protect against the very real threat of attackers who remember old passwords and retry them, often years later.

If I have to pick a bad cop, I'll still prefer external "forcing functions" like govt. regs or hostile auditors. But then, rather than suggesting something that makes the users vulnerable to external adversaries (a large chunk of our threat model), I'll suggest that they write the new password down and keep it safe in their wallet like it was 10 $100 bills. (But that's what I was suggesting anyway, without the bad cop. No Tony award for me!)

All that said, passwords aren't going to protect systems. As a round figure, 10% of users will do unwise & naive things with them. That means access control is 10% porous, and you need other prevention, detection and response measures in place to deal with that.

Written on 25 May 2008.
« Dear applications: WEP keys are not passwords
Making a good Unix glue language »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Sun May 25 00:24:21 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.