The logic behind so-called "best practices". Question one: password expiration



  • OK, Spiceworks drives me nuts sometimes, because people just write certain things and when I question it they say "it's best practice". When I ask why, I never seem to get much of a response. More times than not I'll just get abuse - statements like "I'm glad you don't work for me", or "You're doing IT wrong".
    I'm a big fan of best practice. I don't believe in doing your own thing when thousands of IT Pros have learnt things the hard way. I believe in the wisdom of crowds.

    But a lot of the time, I just really want to understand the logic, or to review the evidence. I can't just blindly follow "best practice" without understanding it That's just my make up. People call me a contrarian, and not in a good way, but I don't think I am. I just like to understand
    stuff. Everyone else seems to see everything in very black and white terms, whilst life is all grey to me.

    Anyway, Spiceworks isn't a great place for discussing the reasoning behind best practices. At least, I haven't found it. @scottalanmiller often engages in my "but why?" posts, and I really appreciate that, but not many others do. I'm hoping ML might be a better forum.

    One best practice that came up this week on Spiceworks, that has got me thinking, is about password expiration. Specifically in Active Directory. What do you set your maximum password age to. 30 days, 60, 180, 365, next expire? These seem arbitrary numbers to me.

    Simple question: what is your preferred expiry policy and (and this is the important bit of my question) why?



  • My opinion is that password expiration should be very long, say one year at a minimum, or set to never. Never is probably bad, you don't want passwords to not change for decades. But a year or two is great. The faster (more often) you make people reset passwords the harder they are to remember so they more likely people will be to make them short and easy to compromise.

    The best option, IMHO, is really long password duration with tons of employee training and coaching on how to make good passwords.



  • Anything that does a rapid password change rate undermines security. Humans are bad with passwords, computers are good with them. If you quadruple the time period that passwords can exist but get them to be one or two characters longer, you win from a security standpoint. And anything that forces users to write them down is a complete fail.



  • Agreed - I'd rather have strong passwords that never expire. The more you make them expire, the more people write them down.



  • @Nic said:

    Agreed - I'd rather have strong passwords that never expire. The more you make them expire, the more people write them down.

    Exactly. Post-its under the keyboard happen when they change too often...



  • Or worse, right on the monitor...



  • A best practice is often just one person's opinion. Sometimes they are backed up, sometimes not.

    As for password expiration, I tend to agree yearly with a password complexity of non dictionary, 8+, must include at least one lower, one upper, one numeric and one special will make the average cracking time several thousand years.

    As a mitigation for lost control of passwords, it would be nice if things like AD could challenge a user for additional authentication when using an abnormal device, like Facebook and Google can.



  • @Dashrender said:

    As for password expiration, I tend to agree yearly with a password complexity of non dictionary, 8+, must include at least one lower, one upper, one numeric and one special will make the average cracking time several thousand years.

    I would never allow that. Forcing characters like that violates the best practices of any security person I've ever known. That's exactly what makes people have to write it down and makes it short. Enforce length, sure, but never complexity. Complexity doesn't make passwords more security, it makes them harder to secure. It offers no security benefits but undermines how humans protect themselves.



  • @scottalanmiller said:

    @Dashrender said:

    As for password expiration, I tend to agree yearly with a password complexity of non dictionary, 8+, must include at least one lower, one upper, one numeric and one special will make the average cracking time several thousand years.

    I would never allow that. Forcing characters like that violates the best practices of any security person I've ever known. That's exactly what makes people have to write it down and makes it short. Enforce length, sure, but never complexity. Complexity doesn't make passwords more security, it makes them harder to secure. It offers no security benefits but undermines how humans protect themselves.

    I'll argue that it offers no security benefits, but the rest I'll grant you.
    And if you're only going to require length, then you need to push this to 12+ characters.



  • @scottalanmiller said:

    Never is probably bad, you don't want passwords to not change for decades.

    Why?

    When I joined my current company, passwords were set to never expire, and I didn't do anything about. Call it laziness or prioritisation. We then took on some government work and they enforced a load of security policies on any users that working on the contract. One of these was 30 day password expiration. So I implemented that policy for about half of our users (the ones who worked on the government contract).

    That contract is over, and I've always thought 30 days is way too often to be practical, so I went to change it to something else. I read a comment you made before about setting it to a year, and thought, yeah, that's sounds ok, so I've set it to that. But I started thinking, why a year? Why is a year better than no expiry? Again, it seems like such an arbitrary number - 365.

    I know it's not the same thing, but my bank has introduced more and more hoops I have to jump through to access my money in order to make access more secure. But one thing they have never made me change is my password. I've been using the same password for years. It makes me think there is no purpose to changing a password. The age of the password is not the weak link in the security. It's not where the focus should be.



  • So ask yourself, what are you trying to mitigate by requiring a password change?

    The first thing that comes to mind is a password that's gotten loose. Let's say someone gets your password, if you NEVER change it, they have that access forever.

    The bank doesn't worry about this because they have other things in place to help protect you, the hoops you mention. If AD had those hoops as well, then perhaps a never would be possible, though I still 'feel' that it's not a good idea.



  • It's been proven that a fully complex 8 or 10 character password is not nearly as secure as as 22 character password that subtracts the special characters part of the equation. I think password expiration of a year makes sense. It helps prevent lost or intentionally shared passwords from staying in use, and if an old employee with malicious intentions knew some secretary's password because it never changed or expired, that's a security risk. But people who think forcing long and complex passwords that change regularly increases security, in a remote attack sense, I'd agree. However, you become infinitely more vulnerable from social engineering attacks.



  • @Dashrender said:

    Let's say someone gets your password, if you NEVER change it, they have that access forever.

    What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months? Chances are, if someone has it, the damage will be done pretty much straight away. I don't see how password expiration helps me here at all.

    If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.



  • @Carnival-Boy said:

    If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.

    I'm not sure that applies to non admin accounts. You want access so you can keep syphoning off data, etc.

    Of course for an admin one, you'd want to be watching the logs for unexpected newly created users. Having a backdoor still generally requires credentials.



  • @Carnival-Boy said:

    @Dashrender said:

    Let's say someone gets your password, if you NEVER change it, they have that access forever.

    What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months? Chances are, if someone has it, the damage will be done pretty much straight away. I don't see how password expiration helps me here at all.

    If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.

    Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

    People who are going to act upon gaining information like that right away are generally looking for it. In that way, an immediate attack is likely. The wildcards you can't account for are the credentials that float around out there forever and then get used by people you wouldn't have expected at first due to a change of circumstances.



  • I'm in agreement on changing passwords when people leave. But other than that, once a year is plenty if you have to have them expire.



  • @thanksaj said:

    Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

    Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

    Again, 365 seems an arbitrary number to me.



  • @Carnival-Boy said:

    @thanksaj said:

    Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

    Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

    Again, 365 seems an arbitrary number to me.

    There is no perfect solution sadly. If you want to look at it that way, if it's a reasonable size company, whenever an employee leaves and once a year would make sense.



  • @Dashrender said:

    I'm not sure that applies to non admin accounts. You want access so you can keep syphoning off data, etc.

    All the security attack demos I've seen have involved getting into the network via a non admin account and then quickly getting access to an admin account, and/or installing malicious software. The non admin account has always been the way into the network but it's never been used once inside. It's like a burglar climbing through the window, but after that using the front door to take stuff out.



  • @Dashrender said:

    I'll argue that it offers no security benefits, but the rest I'll grant you.

    What security do you believe that it provides? Computers, knowing that those requirements are there, compensate for them. A computer cracking your password has no way to know that you made it "harder" but the humans trying to remember them do.



  • @Carnival-Boy said:

    @scottalanmiller said:

    Never is probably bad, you don't want passwords to not change for decades.

    Why?

    Time to crack. If a password never changes (or doesn't for a REALLY) long time, you risk greater exposure. Even a really long password, given decades to attack it, might get broken. But more likely it will get compromised some other way along the way. Changing them once in a great while (years) gives you a chance to reset the system and not allow old compromises of one system to affect another. It's a balancing act and I'd certainly take "never change" over anything under a year. But if my choices were every five years or never, I'd take every five years.



  • @Carnival-Boy said:

    The age of the password is not the weak link in the security. It's not where the focus should be.

    Agreed. Nor is the human complexity. The length and keeping it secure are the two important factors.



  • @Carnival-Boy said:

    @Dashrender said:

    Let's say someone gets your password, if you NEVER change it, they have that access forever.

    What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months?

    Two thoughts here.

    • First it changes every twelve months, any compromise will, we assume, be an average of six months into that. So it is only six months during which you are at risk in the event of an average exposure (average, obviously, could be a year, could be minutes.) Assuming it is not compromised through direct release (I told someone my access credentials) or cracking (they brute forced in the account) we assume that it is compromised via use elsewhere, accidental disclosure, etc. That means that a criminal trying to figure out how to use those credentials has an average of only six months in which to do it. That's much harder than "use anytime in the indefinite future."

    • Two is that changing sometimes means that other mistakes, like accidentally unlocked accounts, can't be compromised for forever. They will time out on their own. So even if something is missed and someone never uses a system, an old password won't linger as an attack point indefinitely.



  • @Carnival-Boy said:

    If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.

    True, but the backdoor might flag you. You probably hope that the access to do things again is still there.

    Also, nothing guarantees that you can make a back door. The initial access might be all that you ever get. For the average criminal, that's all that they can muster.



  • @scottalanmiller said:

    Time to crack. If a password never changes (or doesn't for a REALLY) long time, you risk greater exposure.

    No-one is going to spend a year attempting to crack a password for a typical SMB. They'll either crack it in a day, or a few hours, or give up.



  • @Carnival-Boy said:

    Again, 365 seems an arbitrary number to me.

    It's somewhat arbitrary but it is based around humans, which will always seem kind of arbitrary. It is about being as short as possible without causing people to be unable to handle it.



  • @Carnival-Boy said:

    No-one is going to spend a year attempting to crack a password for a typical SMB. They'll either crack it in a day, or a few hours, or give up.

    Agreed. Not applicable if looking for an industry-wide best practice. But applicable if we are only looking at low value target SMBs. The average firm has very little worth stealing, the cost to steal only has to be higher than the value of what can be stolen.



  • @Carnival-Boy said:

    All the security attack demos I've seen have involved getting into the network via a non admin account and then quickly getting access to an admin account, and/or installing malicious software. The non admin account has always been the way into the network but it's never been used once inside. It's like a burglar climbing through the window, but after that using the front door to take stuff out.

    Depends if your goal is to protect against a professional (or nearly so) external attacker or if you are trying to protect against the bulk of attacks, which are internal ones.

    The biggest password threat is it being written down or shared. Lots of people do this. If someone was to casually get someone else's password through normal transactions and later, maybe a year or two, became disgruntled, it is nice to know that the chances that the passwords that were incorrectly shared with them no longer work.



  • @scottalanmiller said:

    Two is that changing sometimes means that other mistakes, like accidentally unlocked accounts, can't be compromised for forever.

    This is a great point. It's basically doing one practice in order to mitigate against bad practices elsewhere (like keeping on top of expired accounts).

    This brings me to the main reason I expire passwords. I work in a culture of password sharing amongst users. Instead of addressing this culture (through a mix of user education and management enforcement), I use password expiration to mitigate the effects of the culture. This takes two forms:

    1. Constantly changing passwords makes it inconvenient for users to share passwords. If you make something inconvenient, they are less likely to do it.
    2. People will forget to tell people their new user passwords, so the shared password has expired.

    Many times I've had a user phone me up and say this:

    Sue: "I'm trying to log on to Bob's PC but it says the password is invalid".
    Me: "Well, maybe you have the wrong password"
    Sue: "Well, I wrote it down and I've used it before"
    Me: "Well then, you probably have his old password but not his new password"
    Sue: "Oh, ok. Can you tell me what his new password is then?"
    Me: "No. I don't know what it is either."
    Sue: "So I can't log in using Bob's credentials any more"
    Me: "No!"



  • @scottalanmiller said:

    If someone was to casually get someone else's password through normal transactions and later, maybe a year or two, became disgruntled, it is nice to know that the chances that the passwords that were incorrectly shared with them no longer work.

    Yeah, that was AJ's point. But if that is an issue, the risk of it happening reduces the shorter your expiration time. So 90 days becomes better than 365 days, for example.

    I appreciate it's finding a balance between all the different kinds of risks and trying to come up with a magic number.


Log in to reply