Skip to main content

Article – Forced Password Changing is Poor Policy and Reduces Security

The dogma of forced password changes demands a serious policy rethink.  Forced password changes frustrate users, increase sustainment costs and reduce security.[1][2]  Forced password changes cost industry and Defence billions of dollars a year, yet, for many years this has been recognised as poor and ineffective practice.[3][4][5][6][7]  Moreover, this financial cost fails to consider the costs of time, energy and user frustration.

At inception, forcing users to change passwords was considered wisdom; it would deny hacker’s entry to systems because they no longer had ‘the password’.  Accordingly, this action improved cyber security, or so the alleged logic went.  Yet, any analysis of computing (nowadays ‘cyber’) is impoverished without considering user behaviour, let alone how hackers actually operate.


Consider, for example, the ‘Typical User Profile’ that I have generated at Table 1. Although there is evidence that password security is correlated to the sensitivity of the service,[8] recalling the above amount of passwords, when not necessarily using all accounts daily, is a tall order.  What would a user (aka human) do to remember all of the above combinations?  A solid analysis would suggest they will either (1) forget/reset (costing time, money and frustration) or (2) write down the password combinations – which is the antithesis of cyber security.

It is also noteworthy that forced password changes consistently reflect only minor increments, specifically incrementing a number or letter eg. FROM abc123 TO abc124.  Ask yourself, what do you do when you are forced to change your password – are you up to ‘pa$$word18’ or ‘pa$$word24’?  Then ask yourself if a budding kiddie scripter (junior hacker) could readily guess the same subtle change…

The reality is poor passwords are readily guessed or ‘brute forced’[9] by hackers.  Moreover, this technique is but one way hacker’s side step encryption.  Yes, that is correct; military-grade encryption is a dubious reason for feeling cyber secure.  The billions spent worldwide on employing the top 0.001% of the best Mensa can recruit is simply side-stepped by any budding hacker after watching a few YouTube videos!  I digress.

A bigger issue with passwords is when they are used on multiple accounts.  If you want to see what happens to even the ‘cyber experts’ when they repeatedly use the same password; google “hack HBGary” or “Aaron Barr”.  Stepping back, a 2012 survey shows three-quarters of people self-reported using the same password for more than one account[10] – worse, the same article reinforces the unquestioned doctrine that passwords must be regularly changed.  Even Australian national policy echoes this same creed – with (in my view) zero evidence to support its current value.[11]  Yet, consider the following mathematical logic when using ‘strong passwords’:[12] [13]

  • A 9 digit combination[14] would take 0.29 milliseconds to crack
  • A 9 character combination of numbers and letters[15] would take more than 3 months
  • A 9 character combination of numbers, letters and special characters[16] – over 6 decades
  • A 10 digit combination[17] would still take 0.29 milliseconds to crack
  • A 10 character combination of numbers and letters[18] would take more than 1 decade
  • A 10 character combination of numbers, letters and special characters[19] – over 4 millennia!

The pure logic here demonstrates a password containing a 10 character combination of numbers, letters and special characters is not going to be guessed anytime soon.  Surely, our policy makers can understand this low risk of guessing complex passwords?  Indeed, even if policy makers cannot accept this low level of risk; they could enforce 12 character complex passwords – where the current computational time is a truly staggering 1,026,997 thousand years[20] – this is enough time to fly the space shuttle to Alpha Centauri and back over 3,000 times![21]  Therefore, when users have complex passwords – why force them to change, particularly when any such changes are routinely incremental?  Guessing passwords is not a risk worthy of attention.

Conclusion – What is Smarter Policy on Passwords?

Smarter password behaviour is not using the same password for anything sensitive eg. banking, financial, work or private accounts.  In reality, hackers hack, crack, guess or steal passwords – regardless of complexity.  A better policy is to advise users (1) when attempts have been made to login to their accounts, (2) when their passwords have been changed and (3) multi-factor authentication.  This empowers users, rather than treating them like culprits.

Smarter policy would purchase a single super-computer, for say $20,000 (replaced every 3-4 years), and employ someone to run it with the sole purpose of ‘guessing’ passwords.[22][23][24]  When the super-computer guesses a password, it would generate an automated email to the user advising them their password had been guessed and, accordingly, they must change their password.  Not only would this benefit users beyond their Army life by making users consider changing the same password to any personal data, it serves multiple Army and Defence end-states by (1) reducing sustainment costs, (2) enhancing user cyber security awareness, (3) reducing user frustration and, most importantly, (4) increasing systemic cyber security.

References:

[1] https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approachhttp://www.zdnet.com/article/forcing-users-to-change-their-passwords-may-do-more-harm-than-good/

[2] https://www.linkedin.com/pulse/forced-password-changes-longer-best-practice-australia

[3] Research companies suggest the cost per password reset via a Help Desk is somewhere between $17 and $25 each time.

[4] https://securingthehuman.sans.org/blog/2014/03/06/why-the-90-day-rule-for-password-changing

[5] https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

[6] https://www.avatier.com/blog/the-true-cost-of-password-resets/

[7] http://lifehacker.com/5515133/mandatory-password-changes-costs-billions-in-lost-productivity

[8] Duggan, Johnson & Grawemeyer Rational security: Modelling everyday password use; 22 Feb 2012, International Journal of Human-Computer Studies.

[9] Hackers use ‘brute force’ attacks (also known as ‘dictionary attacks’) instead of trying to crack encryption.  They achieve this by comparing a ‘dictionary file’ of possible passwords against the Users password.

[10] http://www.bbc.co.uk/news/business-20726008 accessed April 2017.

[11] http://www.theaustralian.com.au/opinion/towards-a-safer-online-world-for-australians-at-every-level/news-story/85576c4d8fee333f82ebaa9bc3c0dbc5

[12] For simplicity, the author defines a ‘strong’ password as being at least 10 characters long and containing numbers, letters and special characters because over 4 millennia is somewhat of a long time.

[13] https://www.betterbuys.com/estimating-password-cracking-times/

[14] 123456789

[15] 123abc789

[16] 123abc$%^

[17] 1234567890

[18] 123abcd789

[19] 123abcd$%^

[20] 1234ABCD!@#$

[21] http://earthsky.org/space/alpha-centauri-travel-time

[22] http://resources.infosecinstitute.com/10-popular-password-cracking-tools/#gref

[23] https://fossbytes.com/best-password-cracking-tools-2016-windows-linux-download/

[24] https://www.wondershare.com/password/password-cracker-tools.html

 


About the Author:

The author is a serving ADF member.  The Cove is allowing them to write anonymously for legitimate reason.  The member’s identity, and the veracity of their work, has been checked.

3 thoughts on “Article – Forced Password Changing is Poor Policy and Reduces Security

  1. There are excellent papers from both Microsoft Research & GCHQ that broadly support a number of the points in this article, and cover the maths in some detail, as well as analyzing 10’s of millions of passwords published from major breaches. MFA FTW here. Some degree of change may have value, but it’s likely a lot lower than many organizational defaults.

  2. An excellent article. Thought provoking and honest. I would add the number of cumulative work hours lost due to resetting

  3. Wouldn’t a complex written password reduce the risk of successful brute force attempts by hackers in the world. It simultaneously increases the risk of a few people with physical access to the password, but at least it’s not easily brute-forced by a large number of hackers on the web.

    Ideas:
    Maybe encouraging written passwords is okay if you take into consideration current weak password habits.
    Can we unify all the passwords by having one really long password for everything like google does for many websites, and/or implement password managers.
    Add a workplace authenticator (like a clock on the wall)
    Add analytics to identify login anomalies (times of day, unusual location)
    Change the usernames.

    If we are relying on password resets so much, maybe we should embrace it by greatly optimising that process. Which raises the question, why not consider biometrics for authentication?

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *


Disclaimer
The Cove is a professional development site for the Australian Profession of Arms. The views expressed within individual blog posts and videos are those of the author, and do not reflect any official position or that of the author's employers' - see more here. Any concerns regarding this blog post, video or resource should be directed in the first instance to hello@cove.org.au.