Password Expiry is Evil?

A colleague asked me yesterday if password expiry was considered best practice, and my immediate answer was no - changing your passwords regularly is best practice, expiry is an implementation technique that forces users to follow best practice.

Personally I hate password expiry with a vengeance, I change my passwords regularly on accounts that need it and I leave other ones the same for years on end, why should I be forced into a pattern of behaviour? Being asked to advise on a security policy I always say that users should be instructed to employ all security best practice advice and be accountable for their actions and inactions. Even when the implementation of this forces users to change via a password expiry scheme then it is human nature to adopt a password scheme.

The problem is that every single scheme makes passwords more predictable than before, so that a user can go away and drink beer for a week and then come back and get in at the second attempt. Is a randomly generated password that never expires more secure that a changed password that always includes the month in it? I think it is, at least in the online sense.

Randomly generated passwords' problem is that they are generally forgettable. People write them down as a result. What that does is shift the security issue from the virtual world to the physical world, which is a mixed blessing. On the one hand staff are more familiar and well trained in the art of physical security (doors, locks, keys, etc.) and more naturally protect their passwords in that world. The other side of the coin is that, in the case of espionage, physical security is one of the most commonly compromised elements.

A side effect of having active password changing in use it that you end up with your users requiring a larger number of support requests when they do accidentally lock themselves out during a changeover. What this does is encourage the support systems to be streamlined and often forget the basic authentication required before resetting a users password. Try ringing up your support desk and pretend to be your boss!

So my verbose answer to the question is that password expiry generally does not improve security because of human nature and therefore is evil.

Blogged with Flock

1 comment:

Dushan Hanuska said...

I cannot agree with you more.

I used to work for a company that developed and maintained a web application for a large bank. Once this application was in production we rarely needed to visit the bank's site for maintenance. But when we did I often found myself requesting a password reset as a first thing because the previous password had expired.

Was this more secure? Maybe, but definitely more hassle.