Your password has expired and must be changed
Your password has expired and must be changed. Password expiration is a dying concept. Forcing a user to change the password is still a standard security policy for many companies. The organization usually requires its employees to change their passwords every now and then. While in the past this policy made sense, now it is only an archaic practice that forces additional, burdensome action that does not increase the level of security of either the employee or the organization.
Where did the password expiration policies come from?
Decades ago, it was estimated that the average computer would take around 90 days to “crack” a hashed password. If the attacker managed to compromise the organization’s website and copy the hashed password list, he was also able to automate the password guessing process. As a consequence, it was assumed that since the average password could then be cracked in 90 days, people should change passwords every 90 days to solve the problem of stolen credentials. Over time, this guideline has become a requirement for many organizations and has been adopted as a common practice in the cybersecurity world.
Password security today
Now let’s move on to the present day. Things have changed radically. It doesn’t matter if your password expires. Moreover, if you take a closer look at it, you can conclude that a forced password reset does much more harm than good and actually increases, not reduce the risk of data loss. The problem is that organizations and security standards have not kept pace with changes and continue to promote antiquated and harmful practices just because “it has always been this way.”
Why do passwords have to go away?
- Archaic risk assessment model:
In the last twenty years, both the technology and the risk assessment model have changed dramatically. First, most of today’s “average” or “bad” passwords can be cracked quickly in the cloud. Passwords that would have taken an average cybercriminal 90 days to crack 20 years ago now take literally seconds.
Moreover, the biggest threat to passwords is no longer breaking them, but simply harvesting. Cybercriminals infect the victim’s computer with keyloggers, collect data via phishing sites, or carry out social engineering attacks over the phone, fake SMS messages, and many other methods that cheat the victim and persuade them to give the password to the attacker on their own.
If the victim’s password is compromised, it will now also be discovered in seconds, not as it used to be in months. And once the criminal has obtained the password, they will not wait for the required “90 days”, but will use it within a few hours. So by the time the victim realizes that they should change the password, the criminal will long ago disappear with the stolen information.
Why is changing my password harmful? Because it lulls the vigilance of employees and security departments and introduces a false sense of increased security. Changing a password just makes us feel more secure while really changing nothing.
- Cost of unnecessary action
People responsible for cybersecurity in organizations most often look at data security through the prism of risk reduction, often forgetting the cost perspective.
Companies are thus flooded with password maintenance costs. We are talking not only about the time of employees and endless calls to the helpdesk asking for a password reset. The costs are also creating bad habits.
Why do people in organizations write down their passwords on sticky notes and put them wherever they can? Because it is comfortable and natural. Humans aren’t made to remember long and complicated strings of characters. Repetitive, tedious, and boring activities, in which we do not see any sense, simply bore us and it is natural to avoid them. Making your life easier is a natural way. Therefore, security policies, apart from the security itself, should be guided by the least inconvenience for the user, otherwise, a person will do everything in his power to bypass the procedures.
- Increased risk
We have mentioned before that forcing password change instead of reducing the risk in fact increases it. But why is that? Let’s think about what employees do when they are required to change their password?
When a person is forced to come up with a new password, he or she will most likely change it by adding 1,2 ,! or @ or another symbol that in fact does not change the password, but only extends it by one additional character. Your password policies prohibit such practices and prevent the use of similar or previously used passwords? Okay, the employee will change the password from Monday1 to Tuesday1 or change the daughter’s birthday to the wife’s birthday. We will always make our life easier because it is natural, so no imperative-forcing policies will change it.
We know it, you know it, and the “bad guys” know it as well.
It is worth seeing for yourself by turning to any pentester and asking him the question: “Did password policies ever stop your attack?”
Password has expired
Password policies in the past made sense. Nobody is questioning it. However, the time has come for passwords to disappear for good from good cybersecurity practices. For several years now, there has been talking of a passwordless future. It is true that there are already many services out there that offer an increased level of security while eliminating passwords. Here are some tips on how to step into the so-called zero trust security, a security model where no trust is applied by default and users need to be verified anytime, anywhere.
Passwordless – what instead of passwords?
- In the first step, enter multi-factor authentication (MFA) or two-factor authentication (2FA) depending on how many authentication steps you need, on the most important applications. Without a doubt, this is one of the easiest and most effective ways to secure any authentication requirement.
- In the second step, deal with MFA scaling, i.e. introducing strong authentication not on selected, but on all applications in the company. The best approach to do this is to use the user access security broker concept, which allows you to implement any number of MFA methods on any number of applications without interfering with their code. This means that the implementation of strong authentication is non-invasive, scalable, and thus can be deployed globally throughout the organization, regardless of its size.
- In the third step, check if your organization is ready to go full passwordless. Multi-factor authentication methods can effectively eliminate passwords. Of the many components of authentication, your password doesn’t need to be any of them anymore. They can effectively be replaced with authentication based on the standard FIDO2, biometric authentication, with U2F keys, or also with older TOTP-based methods. The key here is the use of a multitude of ingredients, because each subsequent layer causes the criminal to deal with an organization that will be easier to break through.
Passwords – an illusion of security
Nowadays, changing the password every 90 days gives only the illusion of security, bringing unnecessary complications, costs, and ultimately additional risk for the organization. Fortunately, the situation is slowly changing. Technological giants make it possible to secure user accounts with strong authentication, including U2F keys. More and more governments are forcing public organizations to implement multi-factor authentication methods. The only thing that remains is to educate our friends and relatives and persuade them to use authentication methods that are strong and (except for U2F keys) completely free.
This article was inspired by the original SANS blog post written by Lance Spitzner titled ‘Time for Password Expiration to Die’.
