Changing a Password

It's that time of the month.

My corporate email account has started warning me of dire consequences if I don't change my password. I'm going to have to start thinking again of a hard-to-guess easy-to-remember never-used-before nonsense string that will be my companion till thirty days do us part.

Now security experts are always telling me "industry best practice" dictates that I change my password ever so often. I never quite believed it, because it just did not add up. There just didn't seem to be a feasible attack that could take advantage of this kind of hole. After all, password changes matter only if someone is already accessing your account. If your password did get compromised, what kind of hacker would wait thirty days to take advantage of it? There are indeed some stalker scenarios where this kind of thing can be useful, where I might want to see all the emails being exchanged without doing anything for as long as that window is open but in other scenarios, you want to be in and out quickly, not wait thirty or ninety days. This seems like a case for a password that's hard to guess in the first place rather than one that changes often.

What is the real world analogy? Its not unlike asking a user to change his or her door locks every 90 days. A key, like a password, is easily copied. Both are suspect to simple attacks that anyone with simple skills and access to either the user and a bit of social engineering, or the lock itself, can gain access and retain it till the lock is changed. Yet no one recommends to homeowners that they change their locks every so many days, and burglars seem very reluctant to take advantage of all those millions of unchanged locks.

On the other hand, the problems of frequent password changes are well documented - written down passwords, predictable patterns, high support costs and so on. Indeed, there is strong evidence that frequent password changes reduces security by making it easier to guess the password (in which case most safeguards are out of the window). To prevent the harm, more rules have been added making passwords less repeatable, and therefore even more inconvenient.

How this policy came to be "industry standard" is not clear, which is surprising given all the debate surrounding it. The best I can figure out from literature is that passwords were originally set to expire before a brute force attack could reasonably be expected to crack the hashes. However, it seems to me that that is an argument for making passwords stronger, not changing them which we know leads to weaker passwords. I can come up with one or two strong but easy to remember passwords without killing too may grey cells, but asking me to do so every thirty days is like Sachin to hit a six every innings (oh wait, did he do that...?). For instance, if the minimum password length was increased to 12 characters (which gives you some 2,000 years of brute force cracking with your iPhone) could we do away with password changes? And of course, there's the itsy bitsy matter of supercomputers and massive bot clusters, which can chomp through even the longer passwords like candy - but if you're against one of those no frequency of password change will help. Also, the danger here is that the password hashes are compromised, which allows the attacker to take time cracking the hashes. Again, there are more effective steps to prevent that from happening than password change policies.

Is my rant backed up with anything? As it turns out, it is. There are lots of arguments (I've listed some links at the end) and some academic discussions too and, as far as I can make out, the overwhelming consensus is to get rid of it. Particularly illuminating was a Microsoft Research paper on the topic. Even NIST, the fount of much of best practice lore, gives no ringing endorsement that industry standard bearers would have hoped in its policy draft and is indeed strikes a very worried note in its study of actual password usage and attitudes. In the ACM, Zhang et al of UNC also decries the ineffectiveness of password expiry (albeit in a math-filled, tough-read kind of way), with the authors concluding "We believe our study calls into question the merit of continuing the practice of password expiration". Possibly the strongest indictment comes from Gene Spafford at Purdue's CERIAS who slams expiry policy as a "myth".

Then there's real world evidence - Citibank globally does not have a password expiration policy, neither does Amex or, closer at home, ICICI Bank. Yet, in spite of a fair amount of incentive to hack these accounts, the banks seem to have survived millions of customers for at least a decade without issue. Nor does GMail, Apple, Facebook or Yahoo with their hundreds of millions of accounts ask such expiry menstruations of you, and they are probably attacked more than Amex. When both motive and opportunity are so plentiful, maybe one wonders if this is really an open window at all.

So, known damage or uncertain theoretical protection? All security is a compromise, but this is one compromise that does not seem worth asking for. Instead, there are steps one can take to make passwords themselves stronger, or protecting the password hashes that evidence says actually works. Finally, MOVE AWAY from passwords.

Articles

• http://security.blogoverflow.com/2011/07/question-of-the-week-1/
• href="http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
• http://digitaltrustllc.com/?p=49

Academic Papers

• https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf
• http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf
• http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf
• https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf