At NorthSky Technology, we’ve long been hesitant to recommend strict password expiration policies to clients. Until relatively recently our hands have been tied on this issue, as most security standards and compliance requirements mandated password expiration policies (often every 90 days, sometimes even fewer!).
The motivation behind the requirement is well-intended. Many times users share passwords between services, or somehow their unique password becomes known to someone who shouldn’t have it. Password expiration policies theoretically reduce the half-life of that password’s usefulness. Particularly in a large organization, if there was a mass breach of passwords the idea is that they would only be able to be leveraged by an attacker for a known period of time.
However, it is a big ask to expect every user to reliably create and memorize a new strong password every 90 days. When password expiration policies are in place, we consistently observe that users:
- Resort to insecure storage methods for the password (post-its, insecure notes in their phone),
- Share the same few passwords between services and rotate them around,
- Choose very poor seasonal passwords, i.e. Summer2019!, or
- Take the same password they already have and increment it. i.e. Password1! becomes Password2!
As Microsoft also points out: "if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.”
Attackers are well aware of all of these tendencies and they are happy to exploit them. In general, we find that the more strict the expiration policy, the more organizations have a false sense of security and worse password habits compared to those which have no forced expirations at all. An added negative effect is frequent forced password changes are an inconvenience to users and can nurture a sense of resentment toward information security efforts. Instead of encouraging a more secure culture, it encourages a sense of “us vs. the computer”. Password expiration hopes to prevent initial compromise by rotating a compromised password before an attacker can use it, but in reality it makes passwords less secure overall.
Thankfully, we’re not the only ones to take notice of these drawbacks, and things are beginning to change.
The National Institute of Standards and Technology (NIST) is a government organization which creates and maintains standards and frameworks across various industries. In particular, they maintain cybersecurity guidelines which are required to be followed by all government organizations and companies doing business with the government or military.
In early 2019, NIST released updated security guidelines which acknowledged the downfalls of password expirations and removed the requirement entirely. Instead, they focus on longer passwords and checking those passwords against lists of known compromised credentials. The following article summarizes the major changes in that release:
The NIST Cybersecurity Framework sets an example for other standards like PCI, HIPAA, FISMA, and SOX, so it can be expected that other standards will follow suit. As an example, very quickly after NIST’s announcement Microsoft released a new draft of their own security baseline which removes the password expiration:
This article gets very technical, but the section headed “Dropping the password expiration policies” a short bit down has the relevant details in plain english.
Except in cases where regulatory compliance mandates otherwise, NorthSky Technology now officially recommends the elimination of password expiration requirements PROVIDED the following measures are also in place, where possible:
Require that any passwords to sensitive systems, such as banking, payroll, healthcare, and email accounts are completely unique and not used for any other system or service. We also encourage users to focus on creating long multi-word passphrases that are simpler in complexity but easier to remember. 14 characters should be the minimum, the longer the better.
Require multi-factor (also known as 2 factor) authentication wherever possible, especially on sensitive accounts.
Deploy monitoring systems which detect and alert on unusual account activity (repeated failed logins, logins from strange locations) and restrict where and when users can log in.
Implement banned password lists. This feature compares user passwords to lists of known weak or compromised passwords and rejects a user’s problematic password as they are setting it. This is a highly effective, but very new concept. At current time, mainly large scale systems like Office365 have released native support for this. While 3rd party services exist to add this feature onto systems that don’t yet have it, we hesitate to add this complexity and cost unless warranted. We expect that in a short time the industry will catch up and this feature will become widely available as a default. We have already incorporated this feature into our baseline configurations for NorthSky clients wherever it is available.
As part of our ongoing management, we will be proactively reaching out to affected clients to discuss potential policy changes and other recommendations. If you have any questions about password policies or any other cybersecurity related matters, please don’t hesitate to contact us!