November 29, 2016

The (non)sense of password rotation

The (non)sense of password rotation

You arrive at the office in the morning and log on to your computer. After opening your mailbox, the first thing that catches your eye is the ‘change password’ reminder. You want the new password to be easy to remember, so you just make a minor variation to the previous one. After all you don’t see a benefit in doing this. It’s just something you’re obliged to do. So why make life difficult and choose a completely different, hard to remember password? You just get the thing done as quickly as possible. If this sounds familiar to you, maybe you should read on.

Why password rotation is a bad idea

Whilst the goal companies try to reach — securing the employees’ accounts — is good, doing it by implementing password rotation is not. By forcing employees to choose a new password every few months, you are implicitly weakening their passwords. Yes, users tend to choose simple, weak passwords. And they do that each time! They understand very well that they have to go through the change process again and again, and they will adapt by making the process as easy as possible.

The idea of rotating passwords is that attackers only have a limited amount of time to steal user credentials. As an example, let’s say you need to change your password every 60 days. An attacker steals your password after 30 days. This means he still has a window of opportunity of 30 days to do whatever he wants with your account. Typically attackers don’t wait for days to use hacked accounts. We are talking here about minutes or hours at maximum. Chances are real that you don’t even know your account was accessed by an intruder. Clearly password rotation won’t keep us safe from attackers and it certainly does not alert us when our credentials are stolen.

How can we do better?

As it seems, password rotation only has drawbacks. It results in a bad user experience as employees don’t understand why they need to change their password so often. Employees dislike it! Far worse is that it does not protect us against attackers, the reason why it was introduced in the first place. Besides it does not alert us when malicious people have access to our systems and this is certainly information you want to get immediately after it happens.

Companies should get rid of regular mandatory password changes and opt for more secure and user friendly mechanisms. They should make sure that everyone’s password is strong to start with. The current best practices are no longer to require a mix of numbers, special characters, uppercase and lowercase letters. If you want to know more about it, certainly read this article in which former NIST manager Bill Burr admits that the password advice (from back in 2003) that most current systems implement was actually bad advice.

NIST published its Digital Identity Guidelines exactly one year ago. This document also contains the new advice on creating strong passwords, or how they call it: “memorized secrets” (Appendix A)

Similar advice can be found on the website of NCSC, the National Cyber Security Centre of the UK. The main reason for not requiring a mix of numbers, lowercase and uppercase letters and special characters is because people always fall into bad habits when they have to meet these password complexity requirements.

If you let people choose freely — with the only limit being a minimum length (certainly read this article about length vs. complexity) — but you refuse passwords that have been leaked on the internet, you are forcing users to choose much stronger passwords. Here you can find a collection of more than 550 million leaked passwords that you can use to check against. You can find already different implementations making use of this “pwned passwords” list. For instance this one to check if your Active Directory users are using passwords that are previously leaked online.

When you take this approach to ensure that your users have strong, not yet leaked* passwords and combine it with monitoring plus base lining of the login activity, there is no need to force regular password changes. Monitoring means not only registering the successful login attempts, but also the failed ones.

When you perform Anomaly(-based) detection on this set of data you can detect abnormal usage of the login system and trace intruders quickly. Abnormal usage can be a high number of failed logins, a user logging in with valid credentials but at unusual hours, etc…

On the other hand, companies could monitor their AD users’ data breach exposure, for instance by subscribing to the Have I Been Pwned domain search (or any other service providing this possibility) and enforce password resets for their domain accounts being involved in a breach. In any case, only if there’s a proof of compromise users should be forced to change their password.

Another measure is 2-factor authentication or 2-step authentication for all user accounts. If there’s anything you want to enforce, than it’s this. It’s certainly not infallible, but it’s a solid extra layer of defense. If you want to know more about 2FA and how to protect your user account do read this post.

Wrap-up

It may not be easy to change a long running company policy but creating awareness about the (non)sense of password rotation is the first step. As it is with a lot of other company policies, this one is almost never questioned. We just keep typing weak passwords when we’re asked for. I believe this is something you should discuss with the people responsible for the implementation. There is a good chance that they never questioned the password rotation policy themselves. And if they did maybe there are other reasons why they didn’t change it. Anyway start the discussion and try to improve both user experience and security. Everyone will benefit from it.

*Of course you can not be 100% sure that a password is not leaked online. But at least you eliminate 550 million leaked passwords.