The logic behind so-called "best practices". Question one: password expiration
-
@Carnival-Boy said:
@Dashrender said:
Let's say someone gets your password, if you NEVER change it, they have that access forever.
What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months? Chances are, if someone has it, the damage will be done pretty much straight away. I don't see how password expiration helps me here at all.
If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.
Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
People who are going to act upon gaining information like that right away are generally looking for it. In that way, an immediate attack is likely. The wildcards you can't account for are the credentials that float around out there forever and then get used by people you wouldn't have expected at first due to a change of circumstances.
-
I'm in agreement on changing passwords when people leave. But other than that, once a year is plenty if you have to have them expire.
-
@thanksaj said:
Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Again, 365 seems an arbitrary number to me.
-
@Carnival-Boy said:
@thanksaj said:
Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.
Again, 365 seems an arbitrary number to me.
There is no perfect solution sadly. If you want to look at it that way, if it's a reasonable size company, whenever an employee leaves and once a year would make sense.
-
@Dashrender said:
I'm not sure that applies to non admin accounts. You want access so you can keep syphoning off data, etc.
All the security attack demos I've seen have involved getting into the network via a non admin account and then quickly getting access to an admin account, and/or installing malicious software. The non admin account has always been the way into the network but it's never been used once inside. It's like a burglar climbing through the window, but after that using the front door to take stuff out.
-
@Dashrender said:
I'll argue that it offers no security benefits, but the rest I'll grant you.
What security do you believe that it provides? Computers, knowing that those requirements are there, compensate for them. A computer cracking your password has no way to know that you made it "harder" but the humans trying to remember them do.
-
@Carnival-Boy said:
@scottalanmiller said:
Never is probably bad, you don't want passwords to not change for decades.
Why?
Time to crack. If a password never changes (or doesn't for a REALLY) long time, you risk greater exposure. Even a really long password, given decades to attack it, might get broken. But more likely it will get compromised some other way along the way. Changing them once in a great while (years) gives you a chance to reset the system and not allow old compromises of one system to affect another. It's a balancing act and I'd certainly take "never change" over anything under a year. But if my choices were every five years or never, I'd take every five years.
-
@Carnival-Boy said:
The age of the password is not the weak link in the security. It's not where the focus should be.
Agreed. Nor is the human complexity. The length and keeping it secure are the two important factors.
-
@Carnival-Boy said:
@Dashrender said:
Let's say someone gets your password, if you NEVER change it, they have that access forever.
What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months?
Two thoughts here.
-
First it changes every twelve months, any compromise will, we assume, be an average of six months into that. So it is only six months during which you are at risk in the event of an average exposure (average, obviously, could be a year, could be minutes.) Assuming it is not compromised through direct release (I told someone my access credentials) or cracking (they brute forced in the account) we assume that it is compromised via use elsewhere, accidental disclosure, etc. That means that a criminal trying to figure out how to use those credentials has an average of only six months in which to do it. That's much harder than "use anytime in the indefinite future."
-
Two is that changing sometimes means that other mistakes, like accidentally unlocked accounts, can't be compromised for forever. They will time out on their own. So even if something is missed and someone never uses a system, an old password won't linger as an attack point indefinitely.
-
-
@Carnival-Boy said:
If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.
True, but the backdoor might flag you. You probably hope that the access to do things again is still there.
Also, nothing guarantees that you can make a back door. The initial access might be all that you ever get. For the average criminal, that's all that they can muster.
-
@scottalanmiller said:
Time to crack. If a password never changes (or doesn't for a REALLY) long time, you risk greater exposure.
No-one is going to spend a year attempting to crack a password for a typical SMB. They'll either crack it in a day, or a few hours, or give up.
-
@Carnival-Boy said:
Again, 365 seems an arbitrary number to me.
It's somewhat arbitrary but it is based around humans, which will always seem kind of arbitrary. It is about being as short as possible without causing people to be unable to handle it.
-
@Carnival-Boy said:
No-one is going to spend a year attempting to crack a password for a typical SMB. They'll either crack it in a day, or a few hours, or give up.
Agreed. Not applicable if looking for an industry-wide best practice. But applicable if we are only looking at low value target SMBs. The average firm has very little worth stealing, the cost to steal only has to be higher than the value of what can be stolen.
-
@Carnival-Boy said:
All the security attack demos I've seen have involved getting into the network via a non admin account and then quickly getting access to an admin account, and/or installing malicious software. The non admin account has always been the way into the network but it's never been used once inside. It's like a burglar climbing through the window, but after that using the front door to take stuff out.
Depends if your goal is to protect against a professional (or nearly so) external attacker or if you are trying to protect against the bulk of attacks, which are internal ones.
The biggest password threat is it being written down or shared. Lots of people do this. If someone was to casually get someone else's password through normal transactions and later, maybe a year or two, became disgruntled, it is nice to know that the chances that the passwords that were incorrectly shared with them no longer work.
-
@scottalanmiller said:
Two is that changing sometimes means that other mistakes, like accidentally unlocked accounts, can't be compromised for forever.
This is a great point. It's basically doing one practice in order to mitigate against bad practices elsewhere (like keeping on top of expired accounts).
This brings me to the main reason I expire passwords. I work in a culture of password sharing amongst users. Instead of addressing this culture (through a mix of user education and management enforcement), I use password expiration to mitigate the effects of the culture. This takes two forms:
- Constantly changing passwords makes it inconvenient for users to share passwords. If you make something inconvenient, they are less likely to do it.
- People will forget to tell people their new user passwords, so the shared password has expired.
Many times I've had a user phone me up and say this:
Sue: "I'm trying to log on to Bob's PC but it says the password is invalid".
Me: "Well, maybe you have the wrong password"
Sue: "Well, I wrote it down and I've used it before"
Me: "Well then, you probably have his old password but not his new password"
Sue: "Oh, ok. Can you tell me what his new password is then?"
Me: "No. I don't know what it is either."
Sue: "So I can't log in using Bob's credentials any more"
Me: "No!" -
@scottalanmiller said:
If someone was to casually get someone else's password through normal transactions and later, maybe a year or two, became disgruntled, it is nice to know that the chances that the passwords that were incorrectly shared with them no longer work.
Yeah, that was AJ's point. But if that is an issue, the risk of it happening reduces the shorter your expiration time. So 90 days becomes better than 365 days, for example.
I appreciate it's finding a balance between all the different kinds of risks and trying to come up with a magic number.
-
@Carnival-Boy said:
Yeah, that was AJ's point. But if that is an issue, the risk of it happening reduces the shorter your expiration time. So 90 days becomes better than 365 days, for example.
But 90 days is widely seen as infuriating to users and way below the "I don't care and am just writing it down now" threshold for a lot of people.
-
@scottalanmiller said:
@Carnival-Boy said:
Yeah, that was AJ's point. But if that is an issue, the risk of it happening reduces the shorter your expiration time. So 90 days becomes better than 365 days, for example.
But 90 days is widely seen as infuriating to users and way below the "I don't care and am just writing it down now" threshold for a lot of people.
We change every 90 days. Users love to spout out their passwords to me. One pattern i see on our users is they make their passwords like this Password1!, Password2!, Password3!
No problem because that can be changed right? Then they do this.... FirstChild'sName!, SecondChild'sName!, Dog'sName!
In reality those are just as weak as Password1!, Password2!, etc -
@IRJ said:
@scottalanmiller said:
@Carnival-Boy said:
Yeah, that was AJ's point. But if that is an issue, the risk of it happening reduces the shorter your expiration time. So 90 days becomes better than 365 days, for example.
But 90 days is widely seen as infuriating to users and way below the "I don't care and am just writing it down now" threshold for a lot of people.
We change every 90 days. Users love to spout out their passwords to me. One pattern i see on our users is they make their passwords like this Password1!, Password2!, Password3!
No problem because that can be changed right? Then they do this.... FirstChild'sName!, SecondChild'sName!, Dog'sName!
In reality those are just as weak as Password1!, Password2!, etcThere is a simple solution... stop making them change it that often. Do that to me and I stop caring about the "security" of the company too and will resort to the same thing.
-
tl;dr all the others.
Our password policy is change every 42 days with complexity and length requirements... Because audit requirements.
Lolwut? I hear you ask, well working is a subsidiary of a government department means we are still a part of it and are entitled to have these forced upon us.