Why changing passwords should be done regularly

A little birdie sent me a copy of today’s SANS ISC diary entry. That’s a good thing, because I’m at home sick with alleged piggy flu, and I’m not able to keep up with a whole lot.

The diary entry argues that regular changes of passwords are often done for no other reason than “because we’ve always done it that way”.

Apparently, people responsible for security policy have “read somewhere” that you’re supposed to change passwords every ninety days, and having no other basis on which to proceed, that’s the policy carved in stone.

When asked why this policy is the way it is, the usual response is “good security practice” – and in such environments it’s difficult to give a good response to someone who pushes back, arguing that changing passwords in their application is ‘difficult’ or, more often, ‘expensive’. This is, after all, business, and if one side pleads “expense”, while the other side pleads “good thing to do”, the latter side will lose.

So, why is it best practice?

One reason is that you have to recognise that for all that we tell users not to share their passwords, not to use the same password on multiple sites (aka “share their passwords”), etc, very often users will do exactly that. So, every ninety days, you change your password and you cut off everyone with whom you previously shared your password (to an extent).

Another reason is to allow changes in password policy to propagate out to new passwords. If you suddenly realise that passwords can be easily hacked if they are only six characters, you change the password policy to require punctuation as well, and then you realise that because no one has to change their password, the new policy will never be applied.

Those are the common arguments for regular password changes, and there are a few others, but there’s one I rarely hear being made.

What about when you do get an exposure?

In my professional career, I have seen, or heard of, a number of cases of exposure of password information. Sometimes it’s as simple as a departing employee who knows far too much information and may not be trusted, or as mind-boggling as a team sharing a list of important passwords, and one of the team members losing the list. Other times it’s more complex.

Each time, the response from security is the same – if the existing passwords are in danger of being used because of such exposure, then those passwords need to be changed.

Most times, the response from the business is the same – that the passwords haven’t been changed in so long, and they’re spread through so many different applications, that they have no idea what will be affected if they change the password.

Once you hit that scenario, it can be months before you get the password changed. Yes, months. And all during that time, the account may be compromised.

How do you prevent this?

Think of your disaster recovery drills – when there’s a process that needs to be followed quickly and correctly in an emergency situation, you achieve that by meticulous planning and regular exercise. You create the process and test it regularly, updating the process as you find there’s a need.

If you don’t change passwords on these high-value accounts once every 90 days (or so), how do you know that you’ll be able to change those passwords after an exposure or compromise? How will you guarantee that your password change procedures are current, without testing them? How will you enforce changes being documented if you don’t check the documentation against reality once in a while?

Published Mon, Nov 2 2009 20:59 by Alun Jones
Filed under: ,

Comments

# Why changing passwords should be done regularly | Windows 2008 Security

Pingback from  Why changing passwords should be done regularly | Windows 2008 Security

Tuesday, November 03, 2009 12:03 PM by Why changing passwords should be done regularly | Windows 2008 Security

# Requirement for changing passwords still not justified

This article does not justify the requirement for changing passwords at all.

5. paragraph:

Somebody shares the password with someone else, or uses the same password for multiple accounts. So you can force him to change the password. But he will share it again. Did you thought about that?

6. paragraph:

People should change their passwords because, from time to time, they need a stronger password? So you should change the tyres on your car every week? Because, from time to time, you need to change to winter/summer tyres.

following paragraphs:

So you say we should practice changing our passwords? I think people that don't know how to change their password (or don't know where to find help) shouldn't have access to anything that needs password protection.

my personal experience:

Take the password to my bank account for example. I have a strong password, it's just in my memory, and nobody else knows it. As long as it stays that way, no problem, no need to change it. As soon as somebody discovers the password, it is too late; I can just change the password for an account with zero balance.

Now take the password for my university account. It does not protect anything really important, but I have to change it every 180 days. I used to have strong passwords. But after several years of bothering, I use a simple phrase followed by a number which I increment every 180 days.

You cannot force a user to have a strong password and change it regularly. You can only force him to write the password down on a paper.

Tuesday, September 21, 2010 7:15 AM by JirkaS

# re: Why changing passwords should be done regularly

I don't think you're making your argument very well, but then maybe it's just an indication that I wasn't either.

Yes, somebody shares their password, they're likely to share it again, even after they have been required to change it. Unless they are taught differently. So, a requirement to change password is implicitly bound up in a requirement to engage in user awareness and training, to teach people to stop sharing passwords, and to achieve the same goals as sharing without actually sharing. Also, as noted in the article, if you require the user to change password every three months, then the only people who have that password are people with whom the user has shared their password in the last three months - not people with whom the password has been shared in the last five years, since the employee joined the company. Picture someone who shares their password with one person every week - over three months, they've shared it with around 12 people. Over five years, they've shared with around 250 people. An exposure to 12 people (all of whom are recently employed by the organisation) is significantly lower of a risk than an exposure to 250 (many of whom presumably don't even work at the company any more).

I'm not sure I understand, or see the relevance of, your analogy between password changes and tyres, so I'm not bothering to address that, except to say that when password policy changes, you absolutely have to expire all passwords, or the old policy is still in effect.

For the "practice" argument, it's important to note that not everyone who accesses secured resources thinks about security, in fact, most of them don't care to at all. As a result, when the word comes "your password has been compromised, change it in the next hour", even if they know where to find help, that's a significant drain and cost on your help desk at a time of already presumed crisis.

Finally, writing down a password is not necessarily such a bad thing. We all carry devices whose sole purpose is to protect pieces of paper from falling into other people's hands. They're called "wallets". And these days, with everyone having a smart phone (itself protected by a password), most people get to encrypt the password store they carry around with them, if only they'd bother to do so.

Tuesday, September 21, 2010 8:41 AM by Alun Jones

# re: Why changing passwords should be done regularly

I think you are right only partially.

Yes, it is good to know how to change a password - in case it was exposed. And yes, it might be a problem in a system where the password was never changed and no one knows all the places where it is used. But this applies for technological password, not for personal password - and I believe this is a big difference.

So, other rules should be used for technological passwords and other for personal passwords.

Speaking about personal passwords, I see it like this - each person can decide, if he will keep the password only for himself, or will share it with other person(s). In the first case yes, this person should be educated.  But why to bother the educated users in order to educate the bad ones? This is not a good approach, because it can backfire - the good guy, who has a really strong password and keeps it strictly secret, when made to change it every 90 days, will maybe try to create a similarly strong new passwords for some time, but having a separate password to Windows, to Unix, to emails and to some database this will not work for too long.

I have about 15 different passwords. If I am made to change them every 90 days, I hardly can create 15 strong passwords that often. So, what shall I do?

1 - I shall use just 1 password to all the systems;

2 - I shall not create new password every time, but I shall change only a part of the password - a number at the end for instance.

So, instead of rising the security level in the company, this kind of security policy will actually lower it.

Thursday, February 10, 2011 9:02 AM by Stano

# re: Why changing passwords should be done regularly

So changing my password protects the system from me, rather than from outside hackers.  I don't particularly like that, but it's reasonable.

Wednesday, July 11, 2012 1:06 AM by Craig Anderson

# re: Why changing passwords should be done regularly

Of course, you ignore reality. With multiple systems having multiple password requirements in a business environment, you are creating an situation where users wind up keeping lists of passwords in drawers, under keyboards, last page of post-its...you get the idea. So, again, you have decreased security. Spend more time educating  users on strong passwords and enforcing rules on not sharing pwds. Of course, that requires more  effort and is not going to happen. Easier to just fall back on "best practices" and wash your hands of any responsibility when a breach occurs.

Friday, April 12, 2013 9:54 PM by Hobo

# re: Why changing passwords should be done regularly

I actually suggest that people write down passwords if that allows them to remember longer and stronger passwords. Read msmvps.com/.../1779604.aspx, for instance.

In general, I suggest using an appropriate password safe - and I use one that works on my mobile phone as well as my desktop.

The only challenge, then, becomes trying to find out what's an 'appropriate' password safe.

Saturday, April 20, 2013 10:28 AM by Alun Jones

Leave a Comment

(required) 
(required) 
(optional)
(required) 
If you can't read this number refresh your screen
Enter the numbers above: