We’re all still using passwords on many, perhaps most, of our accounts, because we’re all still using plenty of online services that don’t offer any other sort of login system.
Just today, for instance, I paid membership fees to a cycling-related group that asked for my postal address so it could send me my membership card, which I thought was a delightfully simple and old-school way of letting me retrieve my membership number in future while out on the road.
In the sort of cold and soggy weather you get for much of the year in England, digging out a mobile phone, waiting for a signal, taking off your gloves (they’re not much fun to put back on when you’re winter-waterlogged), and fiddling around with apps, websites, passwords, 2FA codes and more…
…well, it’s just not as easy as finding a waterproof, crash-proof, no-batteries-required, plastic card with your basic details on it.
But along with my payment confirmation, informing me that my membership card was on its way, was a reminder that if ever I wanted to renew my membership, or to request a replacement waterproof, crash-proof, no-batteries-required, plastic card (sadly, they aren’t loss-proof), I’d need to create an account on the group website, so why not choose a password right now?
Simply put, to avoid the need for a password in the first place, I’d need to create one in the second place.
And whenever passwords come up, a long-running question comes up too:
Should you change all your passwords all the time to make them fast-moving targets for cybercriminals, or lock in really complex ones to start with, and then leave well alone?
Indeed, that was the issue facing a long-term Naked Security reader this very morning, whose own IT team were on the horns of this very dilemma, possibly because of a cyberinsecurity near-miss that they’d just experienced first hand.
Which is better?
Complex passwords or passphrases that may not get changed often, or poorly-chosen passwords that are changed regularly?
Thoughts and cogitations
Our thoughts on the matter are as follows:
- Changing passwords regularly isn’t an alternative to choosing and using strong ones. If you want to change your password every month, that’s your choice, but it’s not an excuse for starting with your cat’s name and using minor variants of it every few weeks.
- Forcing people to change their passwords routinely may lull them into bad habits. Many users simply adopt a predictable mechanism, such as adding -01, -02, -03 and so on to satisfy the letter (but not the spirit) of your password replacement rules. Attackers can figure out that sort of behaviour.
- Scheduling password changes may delay emergency responses. If you always change your password every few weeks, there’s less incentive to change it right away if you think you might have been phished. After all, you’ll be changing it “soon” anyway.
Regularly changing your password doesn’t magically make it a better password.
Only choosing a better password in the first place makes it a better password! (This is where password managers can help.)
In other words, we suggest that you first address the problem of helping your users to choose decent passwords, then encourage them to recognise cases where they should change their passwords right away, without needing a timetable to tell them to do so…
…and only then should you worry about whether you really need a “regular changes regardless” password policy as well.
The risks of rote behaviour
Demanding password changes every month when you simply don’t need to is just inviting people to save their new passwords insecurely, or to choose new passwords sloppily, or to rotate through a repeating sequence of N related passwords, or of only ever updating their passwords every 30 days, even in emergencies.
Having said that, locking out users who haven’t accessed specific company accounts for a certain time is a good idea. (This also guards modestly against forgotten accounts, because they eventually expire automatically.)
Locking users out for inactivity is more intrusive than simply forcing them to reset their passwords regularly, and therefore unpopular.
But if someone has a company account login that they aren’t using, why not push them to justify in person why they still need it after they haven’t used it for, say, six months or a year?
After all, if it’s a login for a product or service that charges a per-user fee… you may even be able to save the cost of their subscription.
And if they genuinely don’t need the account any more, you’re helping them to stay out of trouble by preventing rogues and cybercrooks from doing bad things in their name.
Philip Le Riche
Changing your passwords often so as not to get compromised is like thinking that if you run fast enough you can dodge all the rain drops. OK, you’ll dodge the raindrops falling behind you but there’ll be just as many where you’re going. And forced to regularly change their passwords, a very large number of people will simply append a number they can increment as required. (Don’t tell anyone, but I got up to 75 in my last job.)
Paul Ducklin
As my chum Chester Wisniewski once said, if you know that the change frequency is (say) every month, their LinkedIn employment history will tell you what number to add…
Jim Howard
I have owned a small non-tech business for decades, but am also a retired developer.
Based on years of experience I can promise you the more often you require a password change the more often you will find sticky notes with the current password displayed in plain sight.
I’m looking at you, Thompson-Reuters.
Paul Ducklin
And if you stamp out sticky notes, you will end up with a surfeit of “Errrr, I forgot my password” calls the day after every forced change.
Which is golden for social engineers because they can predict exactly when the IT team (or the outsourced call centre that passes for an IT team) will be at their most suggestible for fraudulent password reset shenanigans :-(
The Nerd
I hear and read what you write but ….
… I’m thinking that only passwords are [REDACTED] regardless! You must have MFA as a supplement to password.
But if you do not have MFA, as in large organizations with many users with low computer maturity, regular password changes are still ok. Because the user does not know when they are exposed to Phishing and IT may not receive a signal about it. If you then do not force a password change, the account is out in the open for how long? Then it doesn’t matter if it’s a 16-character password… it’s phished!
So if only password it should be at least 16 characters to make Brute Force difficult. Then ban the most common passwords to counter Password Spray.
But primarily use MFA where you can because today the bad guys even steal the password hash.
If a password ending up on a “post-it” so a colleague can see so what? It is 1000 times better and less risky than a hacker finding/buying it on the darknet with damn bad attentions….
Today, they also steal the MFA hash, don’t they? We are [REDACTED] if they really want to get to us.
But to never change the password or very rarely, I only recommend if you have active MFA.
Paul Ducklin
I don’t disagree with you about 2FA (though it is not quite the panacea that some people like to think), and I’m not saying that you should never change your passwords.
But I do disagree that “regular passwords changes are ok” if you are in a large organisation with many users with low computer maturity, as you suggest. A low-maturity response to low-maturity password behaviour seems counterproductive to me – a way to entrench (and excuse) behaviours that you really need to be eliminating.
it feels like trying to “fix” the problem of low-maturity programmers who commit memory mismanagement bugs all the time, and who regularly publish code that crashes with buffer overflows that might very well turn out to be exploitable…
…by wrapping their programs in scripts that restart them automatically if they crash, and saying “at least I am reducing the danger of denial-of-service attacks”, instead of addressing the underlying problems of poor programming practice.
Pete
The big question is: how long would you allow criminals to access your systems after a successful phishing attack?
1 day? 30 days? 90 days?
Obviously the answer to the above question gives you the interval for regular password changes – if they are the solution to the mentioned phishing problem. Try to convince an organisation to change their password every day or try to argue on the other hand, why criminals should be allowed to access those phished accounts for 90 days
Adam
Sure, it’s probably fine if a coworker sees the password on the sticky note on the monitor…but what about the overnight cleaning crew? Or the person who came in to visit a colleague who happens to work in that office? Is it okay for them to see it, too?
And, as I’m sure you know, users aren’t going to just put their password on that sticky note. They likely will also put the name of the system and/or the username that goes along with that password, as well.
David Heath
Thanks Paul. I’ve been banging on about the same thing for years. “If it was good enough to satisfy the password rules when you created it, why does the password have to be changed?”
Chris Johnson
Individual security, be it passwords, passkeys, MFA apps, password managers, or biometrics, is unavoidable insufficient for modern businesses’ security posture and attack surfaces. Businesses need to dramatically reduce their exposure if they want to improve their security. Rotating passwords is far less effective than simply removing the ability for anyone anywhere in the world to put a stolen password into a login page. BYOD is a security nightmare, but being enthusiastically embraced by management addicted to cost savings at any price. As an IT professional, I worry that my opsec is insufficient to keep my business safe. I *know* that the behaviour of 90% of our customer’s staff is actively putting their businesses at risk, with the worst usually being the most senior. The only solution will be a systemic solution, not an individual one – no matter how hard senior management try to blame everyone else for it.
Paul Ducklin
Rotating passwords is what some people try to do with when they are forced to change them regularly, so rotation (which implies they cycle through a fixed sequence and repeat at the end) is way, way worse than merely changing them.
(“Rotation” is a word that needs urgently and permanently purging from our cybersecurity jargon, though I admit that is something of a side-issue here. Just a pet peeve of mine…)
Jack Wilborn
Working at a large financial institute where every 30 days you had to change it, does just as was described…
Many just added 1 through 12 to their name of pets and left it for the month. There was never a hurry to change anything as we’d be changing it pretty soon anyway…
Google also should wise up. If I have a password manager, like Keepass2 and I get a new phone or replace it. I have the database, but not the software.. I can’t copy a 20 character password from my computer to my phone reliably or at all…
I end up, if I remember, to change google, upgrade the phone and log into google to get the keepass2 software then change the password back… Seems counter intuitive..
Besides, I’m sure they know who I am anyway…
Thanks Paul, … always like reading your articles…
Paul Ducklin
Thanks, glad you find them useful.
James
The merits of, and discussions around the frequence of scheduled password changes aside, a lot of the issues with insecure passwords could be solved by not letting users choose their own passwords in the first place. Humans are terrible at this, especially when forced to do so at no notice. Instead of the password change process being “Enter your old password, your new password, and confirmation of your new password”, make it “Enter your old password, here’s your new (xkcd style) password, enter your new password to confirm”.
Provide warnings to the user to make sure their screen is secure before revealing their new password, and for scheduled password changes (vs password changes in response to a security event), allow the user to use their old password as a backup password for a few days, show them their new password, and make them type it in again.
Also never schedule password changes on the last day of the week.
Also also one thing I have discovered in building password generators, is how many combinations of 3-5 non-offensive words, when put together, can make an offensive phrase…
Pete
In principal a nice idea, but if implemented correctly, the organisation which “stores” your passwords never knows them in clear text. They should only ever know the hash value of the password, so there would be no way for them to remind you of your password.
On the contrary: if an organisation ever tells you your password: just run away.
Martin
Worked somewhere that implemented that exact policy. Nice complex passwords forced on users every 90 days.
The downside was every desk in the business had a post-it note on with the password written down because no-one could ever remember them.
Can’t win…..
vipra
I completely agree with the point about scheduled password changes causing users to choose weak passwords. I’ve seen it happen so many times, where people just add a number or change a single character to meet the new requirements. It’s definitely a flawed practice, and I appreciate the insights provided in this article.
Robin
Scheduled password changes causes users to choose weak passwords. No disagreement there. Deciding to have a longer and more complex password and removing the requirement to change the password adds different risks. Primarily Phishing attacks. You would therefore need to mitigate these risks by using MFA, or, receiving telemetry on stolen accounts, or by assessing where the user is authenticating from, and its risk level, etc.
Slow Joe Crow
OT ii your your cycling gloves are waterlogged you have the wrong gloves. Endura in the UK has some excellent waterproof gloves that I used in equally rainy Portland Oregon.
On topic, Microsoft isn’t wrong in pushing to non-expiring passwords and MFA with apps and number matching. It’s still possible to social engineer but so much harder. I also still believe the Correct Horse Battery Staple passphrase is a better approach than traditional 8-12 characters, letter, number, punctuation being both easier to remember and harder to crack
Paul Ducklin
I am a happy Endura customer of many years (socks, base layers, jackets, gloves), but when it comes to cycling clothes, “waterproof” is to gloves as “stainless” is to steel (it oxidises in the end). Gloves that are truly waterproof would, of necessity, be unbreathable and thus essentially unbearable. Try putting washing-up gloves on under your cycling gloves to simulate the experience. Ride for long enough in continuous rain and your “waterproof” gloves will be wet inside. (Of course, if they get wet slowly they dry out even more slowly, but that is even further OT.)
As for the Correct Horse Battery Staple method, I really don’t recommend it. The XKCD entropy analysis was wildly inaccurate, *because people don’t use four random words from the dictionary to give them 100,000^4 choices*. At the very best they use four words from their own vocabulary (for most people, that’s about 10,000 words), but in real life they typically chooae four words from ones they are familiar with, for a total of, say, 1000^4 choices or perhaps even a lot less.
Vaguely meaningful mnemomic phrases are my preference. Such as “Australia did well against India in the test final thingy, but let’s hope they falter in the upcoming Ashes series.” Turn that into, say, “Oz!Vin@TFT,lht–MMXXIIIA$”.
More ideas here:
https://nakedsecurity.sophos.com/2014/10/01/how-to-pick-a-proper-password/
Pete
I like the passphrase idea, but why shorten it to a much shorter combination? One issue I see with the shortening is the collision – two unrelated passphrases giving the same password.
And even worse: if you start with the (maybe) unique passphrase like
“Pauls advanced super secure waterproof odorproof riderwear Ducklin” you might end up with a very bad shortened password (if you are lucky it is in a language where you recognize it as a bad password).
Paul Ducklin
Yes, you need to choose the phrase in a way that delivers the necessary variety. And uniqueness, of course, so don’t use well-known sayings, song lyrics, book titles, etc.