Its really time to stop using password expiry policies

Password Expiry Policies are Bad

This is a brief article on a bug bear of mine: Password expiry policies.

For years now it has been widely accepted that password expiry policies don’t actually provide any additional security and, at worst, are in fact more of a risk than an effective security control.

If you google ‘password expiry policies’, one of the first articles in the list is from Microsoft on setting a password expiry policy. In this article the is a big green box that states:

By default, passwords are set to expire in 90 days. Current research strongly indicates that mandated password changes do more harm than good. They drive users to choose weaker passwords, re-use passwords, or update old passwords in ways that are easily guessed by hackers. If setting password to never expire, we recommend enabling multi-factor authentication.

The UK National Cyber Security Centre (NCSC) has an article on updating your approach to passwords in which they say of password expiry policies:

Forcing password expiry carries no real benefits because:

  • the user is likely to choose new passwords that are only minor variations of the old
  • stolen passwords are generally exploited immediately
  • resetting the password gives you no information about whether a compromise has occurred
  • an attacker with access to the account will probably also receive the request to reset the password
  • if compromised via insecure storage, the attacker will be able to find the new password in the same place

The US National Institute of Standards and Technology (NIST) policy, Digital Identity Guidelines states:

Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

Yet every person I talked to about this said they still have a password expiry policy in place where they work. I think this is one of those cases of where it is done because it’s always been done and “for security”.

This sort of “for security” policy is damaging to the overall acceptance of other more valuable security policies as it generates and enforces ill sentiment for security initiatives within the user population.

We need to stop forcing users to change their passwords. It’s a bad security practice. At best it is the security equivalent of “Turning it on and off again”.

The psychology of password expiries makes no sense. We are saying that there is a window of time for which we accept the risk of a leaked password.

The only password expiry policy that makes any sense is the one where your password expires after every use. Which is of course largely impractical.

Also, since when does age alone degrade the security of a password?

Worse still, if there are rules in place to prevent password reuse or use of similar passwords. A password history has to be kept which leads to another attack opportunity. Similar to what was mentioned in the NIST policy, if an attacker manages to crack the password history then he or she can see what passwords users are choosing on each rotation and make some educated guesses at what all future passwords might be. Even without exploiting password history, once a password is known an attacker can make some reasonably guesses at subsequent passwords which again nullifies any point of password expiry.

Add in the mix password complexity rules, which are ostensibly in place to ensure quality passwords are used, in combination with password history and password expiry can cause further issues. Not the least causing more frustration for users. But more importantly, overly aggressive complexity rules force users to either write down a password, use a generic weak password, use a guessable iteration of a previous password or maybe even all three.

To be clear, I am not saying we shouldn’t have complexity rules, but in concert with password history and expiry they force users into making poor choices for passwords which are either easily fuzzable or appear in password cracking dictionaries.

“But an expiry policy is better than nothing right? At least they attacker will only have access for a finite time no matter what” No! There is no window of time for which a leaked password is acceptable. It’s clear that this is a bad security policy.

If you have password expiry as you only tool to protect against password compromise and misuse then your system broken. Conversely, if you have systems to detect password compromise then you don’t need password expiry because you can force a password rotation instantly when a problem is detected. Not only that but you have actually detected the problem, collected data and can do something about the root cause. This will never happen if password expiry is your only tool.

The only time a password should ever be changed is if it has been leaked, broken or stolen. Otherwise there is zero reason to change it.

As has been the recommendation for a while now, pass phrases are a much better approach and should be encouraged. The use of multi-factor authentication (MFA) greatly increases security and is much easier and more cost effective to do now with the ubiquity of smart phones, low cost tokens and cheap hardware authenticators. MFA significantly reduces the risk of a weak password and should be table stakes for enterprise identity and access management.

Do this:

  • Turn off password expiry
  • Encourage pass phrases
  • Ensure you have multi-factor authentication
  • Improve monitoring

Make users happy.