Today there was a question pitched by one of the guys at work as to why we bother having such things as a password expiry / enforced change. My answer (in true Rob fashion), rambled a little (ok, a lot) but I’ve consolidated it below and made it generic to suit anyone facing the same line of questioning…
The reason passwords are set to expire, is it limits the exposure of compromised credentials.
If someone was to ‘shoulder surf’ you as you logged in/unlocked you screen saver, they can then impersonate you on the network, performing actions that you are responsible for (or at least linked to via logs/audits).
- If your password never expires, they can continue doing this until such time as you forget your password and a new one is created, or you choose to change your password of your own volition.
By the same token, if a malicious person didn’t have physical access to you (to see you type in your password), they could try to guess what your password is through knowledge of our complexity rules in addition to common user behaviours.
- Common behaviours are to use ‘dictionary based’ words, with or without substitution of common letters for numbers/symbols.
- The bad guys have already thought of this and there are password lists based on dictionary words, dictionary words with common substitutions and common patterns such as 123456, qwerty etc.
- They’d probably also be inserting the names of the significant people/pets/dates in your life into the attack file so may need to friend you on Facebook to grab some of that first.
Culturally, we (people in general) do NOT value the security/secrecy of credentials and the number of dictionary and easily factored passwords currently in use is evidence of this. It’s my view (shared by others) that reliance on password/pass-phrases has had its day and more secure mechanisms are required for users to authenticate themselves to systems.
In the interim, IT departments continue to crank up the complexity requirements (with the trade-off of post-it notes or basic number/letter substitution into dictionary words) and/or decrease the password refresh timing (with similar outcomes).User Experience is key…
The thing most technical folk neglect to account for, is the user-experience and cultural change required for such initiatives to work. For those trying to enact change, there are some good tricks to get a memorable pass-phrase which does NOT include a dictionary word.
One method is to get a phrase with personal meaning to you (so it makes sense, is memorable, is unique(ish)) and then take the first letter of each word in the phrase… for example:
“Seriously, looking forward to Christmas and BBQs”
and throwing a number on the end or in the phrase. That would make the phrase convert to “Slf2Cab1” – 8 characters, mixed case, contains number(s)… WIN.
Umm… just don’t use THIS EXAMPLE as your password, that would just be dumb 🙂Bottom Line
Essentially, an expiry time-frame should be less than that which would be required to brute force the credentials. Obviously factoring a password (aaaaaaa1, aaaaaaa2, etc) takes longer than a dictionary based attack (passwrd1, passwrd2, passwrd3…).
This is why should require a significant amount of complexity so that the passwords must be factored, and cannot be attacked via dictionary.
The upshot of all of this is that processor cycles and bandwidth is cheap, many services requiring a valid username and password have an account lockout policy that you would need to stay underneath while making your guesses – but that constraint aside, the only thing between your credentials and the bad guys getting a win, is the ability to guess or factor your pass-phrase.
We set an expiration to ensure that ensures:
- If your account is compromised (and undetected), it is only exposed until your next forced reset
- If guessing your pass-phrase the bad guys need to win before the next forced reset comes along and makes them begin from scratch, or they trigger the account lockout.
Hope that helps answer some of the questions you may be getting…