All the way back in March, Lorrie Cranor, Chief Technologist for the FTC released a blog post 1 stating that it was time to rethink mandatory password changes. Headlines stated the obvious FUD (fear uncertainty and doubt) for a few weeks but simmered down. Last week though, Arstechnica released 2 a post based on a recent Bsides security conference in which Lorrie spoke. This week, it is being virally regurgitated by the likes of Business Insider 3 and other non-technical media, that password changes are bad.
While we do agree with Lorrie in her initial claim that it may be, “Time to rethink mandatory password changes”, we disagree with nonsensical headlines like, “Why you don’t need to change your password regularly.” 3 or “Why changing your password regularly may do more harm than good” 4
At face value, Lorrie is correct. We need to rethink mandatory password changes, though not whether it should be enforced, but how it should be enforced.
The data in the study 5 shows very clearly that users are prone to make small guessable changes to their password when changed. This is bad. We agree with that. The study also simulated a breach though, as well as having to crack the hashed passwords, but not much is made of this fact.
What most of these articles are missing is that to guess the next transformation of a password, you need to know any previous version to work from. This means BREACH, and in a workplace using Lorrie’s suggestion or not, it is breached indefinitely until an attacker either makes a mistake or decides to cause noticeable damage.
Forcing users to change their passwords without managing the process is simply an extension of the problem of not changing the password at all. The study reinforces that. So if either method is bad, it’s fairly safe to say that the problem isn’t whether to enforce frequent changes, but rather, how to enforce it.
Bruce Schneier, a leading security technologist behind numerous books and other academic papers on the subject (and one whom this author has based their career upon), also agrees with Lorrie’s initial essay on the surface. In many new FUD articles popping up though, they credit him with agreeing that password changes are bad. If you check out what Bruce actually does recommend in “Choosing Secure Passwords” 6 though you’ll see that they are missing the most important part.
“There’s more to passwords than simply choosing a good one.” he states. “#2: Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.” 6
Therein lies the problem. Most users do not have the ability to know when their accounts are compromised until the damage manifests itself (Local Cambridge “Realtor’s security breach costs young home buyer $10K” 7 ). In fact, most companies don’t either, until something disastrous ( Target 8 ) happens. More often than not, we’re learning that companies do not invest in security unless they have to, or can not vet the capabilities of their security provider, and that as a user we can never assume any system is secure.
Like most of Schneier’s work, he is bang on, and we are in full agreement with him. We do believe that his second point needs clarified to single out that unmanaged (not all) password changes do more harm than good. Things have changed a bit since it was written in 2014 and for the most part, no user can ever take for granted that their password hasn’t been compromised 9 as they have neither the tools or access to determine this until after damage has been dealt and companies come clean.
So what do RawInfoSec recommend for passwords? Password managers like 1Password work wonders. Not only do they mitigate Lorrie’s concerns completely, but also they can provide very strong and unique passwords for each login and even remind you to change them when needed. Always enable two-factor authentication if available.