Policies that require users to change their password every couple of months do nothing to increase security. I’ll try to make the case that a rotating password policy does nothing to protect against these attacks, but instead encourages users to write down their passwords.
Lets look at a couple of ways in which passwords are often compromised.
- A hardware or software based key-logger / virus / spyware is harvesting passwords.
In this case, the employee or user types a password on a compromised machine, either at home, at a hotel, Internet cafe or on a friend/family members computer. - Password is obtained by someone sniffing network traffic.
This occurs when only making use of a plaintext protocol.
- The server’s password list is compromised.
You had an SQL injection vulnerability in your web app or your password file was compromised and someone managed to get the hashed list of passwords. If some of the passwords were simple and a basic hash function without salt was used, then some of the passwords could be obtained by a hash-table dictionary or brute force. - Password was so simple that someone guessed it or that it was brute forced.
This is rare, but most people who don’t understand security think this is hacking thanks to improper portrayal of hackers in movies.
There are plenty of other ways in which a password can be compromised, but these will suffice for now.
The first and only question that needs to be asked in order to debunk the rotating password policy is this:
Once someone’s passwords is compromised, how does changing it six months later stop the attacker from using it today, tomorrow or next week? Even if the attacker is selling password lists on the black market, every criminal knows a list older than a couple days is useless.
A second point demonstrates the ridiculous nature of forcing people to change their passwords:
When you force anyone to change their password every couple months and demand that it be some complicated combination of alpha-numeric characters, you’re forcing them to write it down, and most uneducated users will leave their written passwords in a cubicle.
A better solution
Two factor authentication is the way to go if you don’t mind inconveniencing people and want to enforce a serious password policy. Two factor authentication requires two things: either a memorized password / private key and a physical item that either generates a time-sensitive token unique to the user or verifies the user via SMS. Usually this is accomplished with a little device that can go on your keychain, but now smart phone apps are capable of providing the same thing. I installed Google Authenticator on one of my servers.
With two factor authentication, even if someone obtains my password, they won’t be able to login without the addition of the physical device I carry around in my pocket. Can two factor authentication be broken? Yes, someone can use one of the methods above to steal my password, then hit me over the head with a hammer and take my device. Someone could also obtain the private key used to generate my one-time tokens, or break the algorithm or even obtain physical access to the server!
Conclusion
Security isn’t about making it impossible to break in. At the end of the day we can concoct a zillion scenarios where even the pentagon could be overtaken. Security is about plausibility and probability. The plausible and probable methods of compromising a machine are not protected by a rotating password policy. They are protected by two factor authentication.
An added note: real security comes from educating users.
You make a lot of good points. I am always irritated by each server’s arbitrary rules – some want punctuation, some prohibit it, meaning that I have to have many different passwords and I cannot remember them all. Nevertheless, can you explain the issue with expiring passwords more? I understand that you won’t save the day by changing a password every 6 months. An intruder will still have 1-5 months to use the stolen password. Nevertheless, isn’t it better to stop them periodically then not at all? Even if you are using 2-factor authentication, a stolen password and key set still need to be defeated. And doesn’t having passwords expire also add the benefit of locking out unused accounts? Sure, these should be terminated manually, but people are busy and make mistakes.
Alvin said, “An intruder will still have 1-5 months to use the stolen password. Nevertheless, isn’t it better to stop them periodically then not at all?”
It is good to stop them if they do compromise the account, but I’m not sure requiring passwords to change will stop them. Depending on what kind of account it is, an intruder will typically compromise an account and use it once or twice to accomplish their goal, then move on. If it is an account that an intruder will want to make use of for an indefinite period of time, then allowing them access barring a password change request is already a failed policy. If the intruder knows that there is a rotating password policy, the intruder can change the password as frequently as he likes to avoid it from being enforced apart from his own schedule.
Consider a social networking account. There are lots of reasons for someone to steal your facebook or google+ credentials. The most obvious reason would be to spam your friends. The threats 1, 2 and 4 of my original post are heightened for the social network. However, neither of these services require passwords to change every couple of months; if you do want an added measure of security, you can opt-in to two factor authentication.
As for locking out unused accounts… If that’s your desire, you could set a policy to disable an account that hasn’t any activity for a set period of time. The user could get back to you upon discovery and you could re-enable it without requesting a password change. Disabling inactive accounts is more for bookkeeping than for security since a compromised account will likely also be active and used by the intruder, if not, by the user.
Alvin also said, “people are busy and make mistakes.”
Indeed, this is what a good policy is meant to protect against.
There are also studies that criticize the requirement of complicated passwords that make use of uppercase, lowercase and punctuation. Theoretically, four random words is easier to remember and has a harder probably to brute force than the typical 12 random characters limited to a full keyboard.