The logic behind so-called "best practices". Question one: password expiration

Carnival Boy

OK, Spiceworks drives me nuts sometimes, because people just write certain things and when I question it they say "it's best practice". When I ask why, I never seem to get much of a response. More times than not I'll just get abuse - statements like "I'm glad you don't work for me", or "You're doing IT wrong".
I'm a big fan of best practice. I don't believe in doing your own thing when thousands of IT Pros have learnt things the hard way. I believe in the wisdom of crowds.

But a lot of the time, I just really want to understand the logic, or to review the evidence. I can't just blindly follow "best practice" without understanding it That's just my make up. People call me a contrarian, and not in a good way, but I don't think I am. I just like to understand
stuff. Everyone else seems to see everything in very black and white terms, whilst life is all grey to me.

Anyway, Spiceworks isn't a great place for discussing the reasoning behind best practices. At least, I haven't found it. @scottalanmiller often engages in my "but why?" posts, and I really appreciate that, but not many others do. I'm hoping ML might be a better forum.

One best practice that came up this week on Spiceworks, that has got me thinking, is about password expiration. Specifically in Active Directory. What do you set your maximum password age to. 30 days, 60, 180, 365, next expire? These seem arbitrary numbers to me.

Simple question: what is your preferred expiry policy and (and this is the important bit of my question) why?

scottalanmiller

My opinion is that password expiration should be very long, say one year at a minimum, or set to never. Never is probably bad, you don't want passwords to not change for decades. But a year or two is great. The faster (more often) you make people reset passwords the harder they are to remember so they more likely people will be to make them short and easy to compromise.

The best option, IMHO, is really long password duration with tons of employee training and coaching on how to make good passwords.

scottalanmiller

Anything that does a rapid password change rate undermines security. Humans are bad with passwords, computers are good with them. If you quadruple the time period that passwords can exist but get them to be one or two characters longer, you win from a security standpoint. And anything that forces users to write them down is a complete fail.

Nic

Agreed - I'd rather have strong passwords that never expire. The more you make them expire, the more people write them down.

thanksajdotcom

@Nic said:

Agreed - I'd rather have strong passwords that never expire. The more you make them expire, the more people write them down.

Exactly. Post-its under the keyboard happen when they change too often...

thanksajdotcom

Or worse, right on the monitor...

Dashrender

A best practice is often just one person's opinion. Sometimes they are backed up, sometimes not.

As for password expiration, I tend to agree yearly with a password complexity of non dictionary, 8+, must include at least one lower, one upper, one numeric and one special will make the average cracking time several thousand years.

As a mitigation for lost control of passwords, it would be nice if things like AD could challenge a user for additional authentication when using an abnormal device, like Facebook and Google can.

scottalanmiller

@Dashrender said:

As for password expiration, I tend to agree yearly with a password complexity of non dictionary, 8+, must include at least one lower, one upper, one numeric and one special will make the average cracking time several thousand years.

I would never allow that. Forcing characters like that violates the best practices of any security person I've ever known. That's exactly what makes people have to write it down and makes it short. Enforce length, sure, but never complexity. Complexity doesn't make passwords more security, it makes them harder to secure. It offers no security benefits but undermines how humans protect themselves.

Dashrender

@scottalanmiller said:

@Dashrender said:

As for password expiration, I tend to agree yearly with a password complexity of non dictionary, 8+, must include at least one lower, one upper, one numeric and one special will make the average cracking time several thousand years.

I would never allow that. Forcing characters like that violates the best practices of any security person I've ever known. That's exactly what makes people have to write it down and makes it short. Enforce length, sure, but never complexity. Complexity doesn't make passwords more security, it makes them harder to secure. It offers no security benefits but undermines how humans protect themselves.

I'll argue that it offers no security benefits, but the rest I'll grant you.
And if you're only going to require length, then you need to push this to 12+ characters.

Carnival Boy

@scottalanmiller said:

Never is probably bad, you don't want passwords to not change for decades.

Why?

When I joined my current company, passwords were set to never expire, and I didn't do anything about. Call it laziness or prioritisation. We then took on some government work and they enforced a load of security policies on any users that working on the contract. One of these was 30 day password expiration. So I implemented that policy for about half of our users (the ones who worked on the government contract).

That contract is over, and I've always thought 30 days is way too often to be practical, so I went to change it to something else. I read a comment you made before about setting it to a year, and thought, yeah, that's sounds ok, so I've set it to that. But I started thinking, why a year? Why is a year better than no expiry? Again, it seems like such an arbitrary number - 365.

I know it's not the same thing, but my bank has introduced more and more hoops I have to jump through to access my money in order to make access more secure. But one thing they have never made me change is my password. I've been using the same password for years. It makes me think there is no purpose to changing a password. The age of the password is not the weak link in the security. It's not where the focus should be.

Dashrender

So ask yourself, what are you trying to mitigate by requiring a password change?

The first thing that comes to mind is a password that's gotten loose. Let's say someone gets your password, if you NEVER change it, they have that access forever.

The bank doesn't worry about this because they have other things in place to help protect you, the hoops you mention. If AD had those hoops as well, then perhaps a never would be possible, though I still 'feel' that it's not a good idea.

thanksajdotcom

It's been proven that a fully complex 8 or 10 character password is not nearly as secure as as 22 character password that subtracts the special characters part of the equation. I think password expiration of a year makes sense. It helps prevent lost or intentionally shared passwords from staying in use, and if an old employee with malicious intentions knew some secretary's password because it never changed or expired, that's a security risk. But people who think forcing long and complex passwords that change regularly increases security, in a remote attack sense, I'd agree. However, you become infinitely more vulnerable from social engineering attacks.

Carnival Boy

@Dashrender said:

Let's say someone gets your password, if you NEVER change it, they have that access forever.

What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months? Chances are, if someone has it, the damage will be done pretty much straight away. I don't see how password expiration helps me here at all.

If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.

Dashrender

@Carnival-Boy said:

If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.

I'm not sure that applies to non admin accounts. You want access so you can keep syphoning off data, etc.

Of course for an admin one, you'd want to be watching the logs for unexpected newly created users. Having a backdoor still generally requires credentials.

thanksajdotcom

@Carnival-Boy said:

@Dashrender said:

Let's say someone gets your password, if you NEVER change it, they have that access forever.

What's the difference between someone having it forever and someone having it for, say, 10 months. What is it that they will do after 12 months that they won't do in the first 12 months? Chances are, if someone has it, the damage will be done pretty much straight away. I don't see how password expiration helps me here at all.

If I had someone's password, I wouldn't keep using it for more than a year. I'd use it once to create a backdoor entrance to whatever it is I want access to.

Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

People who are going to act upon gaining information like that right away are generally looking for it. In that way, an immediate attack is likely. The wildcards you can't account for are the credentials that float around out there forever and then get used by people you wouldn't have expected at first due to a change of circumstances.

Nic

I'm in agreement on changing passwords when people leave. But other than that, once a year is plenty if you have to have them expire.

Carnival Boy

@thanksaj said:

Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

Again, 365 seems an arbitrary number to me.

thanksajdotcom

@Carnival-Boy said:

@thanksaj said:

Think about it this way. Someone learns secretary Jane's password, which never expires. Three years later they are terminated under what they feel are unjust conditions. They remember that passwords never expire and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

Or think about it this way. Someone learns secretary Jane's password, which expires annually. Three months later they are terminated under what they feel are unjust conditions. They remember that passwords expire every 12 months and decide to try accessing some company system with secretary Jane's login, and it works! Maybe she's the secretary for a C-level person, and has access to their calendar and even some confidential documents.

Again, 365 seems an arbitrary number to me.

There is no perfect solution sadly. If you want to look at it that way, if it's a reasonable size company, whenever an employee leaves and once a year would make sense.

Carnival Boy

@Dashrender said:

I'm not sure that applies to non admin accounts. You want access so you can keep syphoning off data, etc.

All the security attack demos I've seen have involved getting into the network via a non admin account and then quickly getting access to an admin account, and/or installing malicious software. The non admin account has always been the way into the network but it's never been used once inside. It's like a burglar climbing through the window, but after that using the front door to take stuff out.

scottalanmiller

@Dashrender said:

I'll argue that it offers no security benefits, but the rest I'll grant you.

What security do you believe that it provides? Computers, knowing that those requirements are there, compensate for them. A computer cracking your password has no way to know that you made it "harder" but the humans trying to remember them do.