The logic behind so-called "best practices". Question one: password expiration
-
@scottalanmiller said:
Never is probably bad, you don't want passwords to not change for decades.
Why?
When I joined my current company, passwords were set to never expire, and I didn't do anything about. Call it laziness or prioritisation. We then took on some government work and they enforced a load of security policies on any users that working on the contract. One of these was 30 day password expiration. So I implemented that policy for about half of our users (the ones who worked on the government contract).
That contract is over, and I've always thought 30 days is way too often to be practical, so I went to change it to something else. I read a comment you made before about setting it to a year, and thought, yeah, that's sounds ok, so I've set it to that. But I started thinking, why a year? Why is a year better than no expiry? Again, it seems like such an arbitrary number - 365.
I know it's not the same thing, but my bank has introduced more and more hoops I have to jump through to access my money in order to make access more secure. But one thing they have never made me change is my password. I've been using the same password for years. It makes me think there is no purpose to changing a password. The age of the password is not the weak link in the security. It's not where the focus should be.
-
So ask yourself, what are you trying to mitigate by requiring a password change?
The first thing that comes to mind is a password that's gotten loose. Let's say someone gets your password, if you NEVER change it, they have that access forever.
The bank doesn't worry about this because they have other things in place to help protect you, the hoops you mention. If AD had those hoops as well, then perhaps a never would be possible, though I still 'feel' that it's not a good idea.
-
It's been proven that a fully complex 8 or 10 character password is not nearly as secure as as 22 character password that subtracts the special characters part of the equation. I think password expiration of a year makes sense. It helps prevent lost or intentionally shared passwords from staying in use, and if an old employee with malicious intentions knew some secretary's password because it never changed or expired, that's a security risk. But people who think forcing long and complex passwords that change regularly increases security, in a remote attack sense, I'd agree. However, you become infinitely more vulnerable from social engineering attacks.
-
@Dashrender said:
Let's say someone gets your password, if you NEVER change it, they have that access forever.
What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months? Chances are, if someone has it, the damage will be done pretty much straight away. I don't see how password expiration helps me here at all.
If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.
-
@Carnival-Boy said:
If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.
I'm not sure that applies to non admin accounts. You want access so you can keep syphoning off data, etc.
Of course for an admin one, you'd want to be watching the logs for unexpected newly created users. Having a backdoor still generally requires credentials.
-
@Carnival-Boy said:
@Dashrender said:
Let's say someone gets your password, if you NEVER change it, they have that access forever.
What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months? Chances are, if someone has it, the damage will be done pretty much straight away. I don't see how password expiration helps me here at all.
If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.
Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
People who are going to act upon gaining information like that right away are generally looking for it. In that way, an immediate attack is likely. The wildcards you can't account for are the credentials that float around out there forever and then get used by people you wouldn't have expected at first due to a change of circumstances.
-
I'm in agreement on changing passwords when people leave. But other than that, once a year is plenty if you have to have them expire.
-
@thanksaj said:
Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Again, 365 seems an arbitrary number to me.
-
@Carnival-Boy said:
@thanksaj said:
Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Again, 365 seems an arbitrary number to me.
There is no perfect solution sadly. If you want to look at it that way, if it's a reasonable size company, whenever an employee leaves and once a year would make sense.
-
@Dashrender said:
I'm not sure that applies to non admin accounts. You want access so you can keep syphoning off data, etc.
All the security attack demos I've seen have involved getting into the network via a non admin account and then quickly getting access to an admin account, and/or installing malicious software. The non admin account has always been the way into the network but it's never been used once inside. It's like a burglar climbing through the window, but after that using the front door to take stuff out.
-
@Dashrender said:
I'll argue that it offers no security benefits, but the rest I'll grant you.
What security do you believe that it provides? Computers, knowing that those requirements are there, compensate for them. A computer cracking your password has no way to know that you made it "harder" but the humans trying to remember them do.
-
@Carnival-Boy said:
@scottalanmiller said:
Never is probably bad, you don't want passwords to not change for decades.
Why?
Time to crack. If a password never changes (or doesn't for a REALLY) long time, you risk greater exposure. Even a really long password, given decades to attack it, might get broken. But more likely it will get compromised some other way along the way. Changing them once in a great while (years) gives you a chance to reset the system and not allow old compromises of one system to affect another. It's a balancing act and I'd certainly take "never change" over anything under a year. But if my choices were every five years or never, I'd take every five years.
-
@Carnival-Boy said:
The age of the password is not the weak link in the security. It's not where the focus should be.
Agreed. Nor is the human complexity. The length and keeping it secure are the two important factors.
-
@Carnival-Boy said:
@Dashrender said:
Let's say someone gets your password, if you NEVER change it, they have that access forever.
What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months?
Two thoughts here.
-
First it changes every twelve months, any compromise will, we assume, be an average of six months into that. So it is only six months during which you are at risk in the event of an average exposure (average, obviously, could be a year, could be minutes.) Assuming it is not compromised through direct release (I told someone my access credentials) or cracking (they brute forced in the account) we assume that it is compromised via use elsewhere, accidental disclosure, etc. That means that a criminal trying to figure out how to use those credentials has an average of only six months in which to do it. That's much harder than "use anytime in the indefinite future."
-
Two is that changing sometimes means that other mistakes, like accidentally unlocked accounts, can't be compromised for forever. They will time out on their own. So even if something is missed and someone never uses a system, an old password won't linger as an attack point indefinitely.
-
-
@Carnival-Boy said:
If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.
True, but the backdoor might flag you. You probably hope that the access to do things again is still there.
Also, nothing guarantees that you can make a back door. The initial access might be all that you ever get. For the average criminal, that's all that they can muster.
-
@scottalanmiller said:
Time to crack. If a password never changes (or doesn't for a REALLY) long time, you risk greater exposure.
No-one is going to spend a year attempting to crack a password for a typical SMB. They'll either crack it in a day, or a few hours, or give up.
-
@Carnival-Boy said:
Again, 365 seems an arbitrary number to me.
It's somewhat arbitrary but it is based around humans, which will always seem kind of arbitrary. It is about being as short as possible without causing people to be unable to handle it.
-
@Carnival-Boy said:
No-one is going to spend a year attempting to crack a password for a typical SMB. They'll either crack it in a day, or a few hours, or give up.
Agreed. Not applicable if looking for an industry-wide best practice. But applicable if we are only looking at low value target SMBs. The average firm has very little worth stealing, the cost to steal only has to be higher than the value of what can be stolen.
-
@Carnival-Boy said:
All the security attack demos I've seen have involved getting into the network via a non admin account and then quickly getting access to an admin account, and/or installing malicious software. The non admin account has always been the way into the network but it's never been used once inside. It's like a burglar climbing through the window, but after that using the front door to take stuff out.
Depends if your goal is to protect against a professional (or nearly so) external attacker or if you are trying to protect against the bulk of attacks, which are internal ones.
The biggest password threat is it being written down or shared. Lots of people do this. If someone was to casually get someone else's password through normal transactions and later, maybe a year or two, became disgruntled, it is nice to know that the chances that the passwords that were incorrectly shared with them no longer work.
-
@scottalanmiller said:
Two is that changing sometimes means that other mistakes, like accidentally unlocked accounts, can't be compromised for forever.
This is a great point. It's basically doing one practice in order to mitigate against bad practices elsewhere (like keeping on top of expired accounts).
This brings me to the main reason I expire passwords. I work in a culture of password sharing amongst users. Instead of addressing this culture (through a mix of user education and management enforcement), I use password expiration to mitigate the effects of the culture. This takes two forms:
- Constantly changing passwords makes it inconvenient for users to share passwords. If you make something inconvenient, they are less likely to do it.
- People will forget to tell people their new user passwords, so the shared password has expired.
Many times I've had a user phone me up and say this:
Sue: "I'm trying to log on to Bob's PC but it says the password is invalid".
Me: "Well, maybe you have the wrong password"
Sue: "Well, I wrote it down and I've used it before"
Me: "Well then, you probably have his old password but not his new password"
Sue: "Oh, ok. Can you tell me what his new password is then?"
Me: "No. I don't know what it is either."
Sue: "So I can't log in using Bob's credentials any more"
Me: "No!"