Skip to main content

Changing a Password

It's that time of the month.

My corporate email account has started warning me of dire consequences if I don't change my password. I'm going to have to start thinking again of a hard-to-guess easy-to-remember never-used-before nonsense string that will be my companion till thirty days do us part.

Now security experts are always telling me "industry best practice" dictates that I change my password ever so often. I never quite believed it, because it just did not add up. There just didn't seem to be a feasible attack that could take advantage of this kind of hole. After all, password changes matter only if someone is already accessing your account. If your password did get compromised, what kind of hacker would wait thirty days to take advantage of it? There are indeed some stalker scenarios where this kind of thing can be useful, where I might want to see all the emails being exchanged without doing anything for as long as that window is open but in other scenarios, you want to be in and out quickly, not wait thirty or ninety days. This seems like a case for a password that's hard to guess in the first place rather than one that changes often.

What is the real world analogy? Its not unlike asking a user to change his or her door locks every 90 days. A key, like a password, is easily copied. Both are suspect to simple attacks that anyone with simple skills and access to either the user and a bit of social engineering, or the lock itself, can gain access and retain it till the lock is changed. Yet no one recommends to homeowners that they change their locks every so many days, and burglars seem very reluctant to take advantage of all those millions of unchanged locks.

On the other hand, the problems of frequent password changes are well documented - written down passwords, predictable patterns, high support costs and so on. Indeed, there is strong evidence that frequent password changes reduces security by making it easier to guess the password (in which case most safeguards are out of the window). To prevent the harm, more rules have been added making passwords less repeatable, and therefore even more inconvenient.

How this policy came to be "industry standard" is not clear, which is surprising given all the debate surrounding it. The best I can figure out from literature is that passwords were originally set to expire before a brute force attack could reasonably be expected to crack the hashes. However, it seems to me that that is an argument for making passwords stronger, not changing them which we know leads to weaker passwords. I can come up with one or two strong but easy to remember passwords without killing too may grey cells, but asking me to do so every thirty days is like Sachin to hit a six every innings (oh wait, did he do that...?). For instance, if the minimum password length was increased to 12 characters (which gives you some 2,000 years of brute force cracking with your iPhone) could we do away with password changes? And of course, there's the itsy bitsy matter of supercomputers and massive bot clusters, which can chomp through even the longer passwords like candy - but if you're against one of those no frequency of password change will help. Also, the danger here is that the password hashes are compromised, which allows the attacker to take time cracking the hashes. Again, there are more effective steps to prevent that from happening than password change policies.

Is my rant backed up with anything? As it turns out, it is. There are lots of arguments (I've listed some links at the end) and some academic discussions too and, as far as I can make out, the overwhelming consensus is to get rid of it. Particularly illuminating was a Microsoft Research paper on the topic. Even NIST, the fount of much of best practice lore, gives no ringing endorsement that industry standard bearers would have hoped in its policy draft and is indeed strikes a very worried note in its study of actual password usage and attitudes. In the ACM, Zhang et al of UNC also decries the ineffectiveness of password expiry (albeit in a math-filled, tough-read kind of way), with the authors concluding "We believe our study calls into question the merit of continuing the practice of password expiration". Possibly the strongest indictment comes from Gene Spafford at Purdue's CERIAS who slams expiry policy as a "myth".

Then there's real world evidence - Citibank globally does not have a password expiration policy, neither does Amex or, closer at home, ICICI Bank. Yet, in spite of a fair amount of incentive to hack these accounts, the banks seem to have survived millions of customers for at least a decade without issue. Nor does GMail, Apple, Facebook or Yahoo with their hundreds of millions of accounts ask such expiry menstruations of you, and they are probably attacked more than Amex. When both motive and opportunity are so plentiful, maybe one wonders if this is really an open window at all.

So, known damage or uncertain theoretical protection? All security is a compromise, but this is one compromise that does not seem worth asking for. Instead, there are steps one can take to make passwords themselves stronger, or protecting the password hashes that evidence says actually works. Finally, MOVE AWAY from passwords.


Articles

Academic Papers

Comments

  1. Well said Sir....completely agree with the cons of very frequent changing of passwords

    My point of view is to REDUCE THE FREQUENCY and then TRAIN people how to create STRONG PASSWORDS.

    I disagree with Citibank, Amex or ICICI Bank's policy of no password expiration as some time cap should be there though not frequent, as there do exist some benefits of changing password regularly like:

    1. If you change your password at certain interval, hackers who may be trying to crack your password using brute force need to start over because your password may now have been changed to some pattern they've already tried and rejected.

    2. Forcing a password change also discourages users from using the same password on multiple accounts. (Using the same password on multiple accounts is bad because then your password is only as secure as the least secure of the systems sharing that common password, and if your account does get compromised, the bad guy suddenly has access not just to one account, but to multiple accounts, magnifying the scope of the problem).

    3. The "change your password" policy is there to mitigate the damage over time that could be caused if your password gets out, by limiting the window of opportunity for an attacker.

    4. If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn't help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account.

    ReplyDelete
    Replies
    1. You may disagree with the policy of these banks, but obviously over millions of accounts and years of data, there is no evidence of security breaches related to this.

      Delete

Post a Comment

Popular posts from this blog

Outsourcing I–The "Why" Question

A little while ago, I was asked to give a presentation to CEOs on outsourcing. The audience wanted to know about adopting outsourcing for their companies; making use of its promise while avoiding its pitfalls. It seemed to me (unimaginatively, I must admit) that the whole thing boiled down to four fundamental questions - the why , the what , the who and the how . I decided to expand the presentation into a series of blog posts, one per question. The Why Question Why outsource? Given that a trillion-dollar industry has crowded a lot of people into Bangalore and made more than one driver rich, it seems a little late to ask this question. However, this isn't really about outsourcing being good or bad per se. Bloggers like us love to wallow in theoretical questions; companies usually want answers to more prosaic stuff. The question really is, why should a company be looking for an outsource partner ?   I've divided the universe into two simple flavours – Tactical and Str

The Economics of 'E'

Mass market retailing is an expensive business. Rents, staff, inventory – the average brick and mortar retailer struggles along with barely visible net margins (spontaneous dancing is known to happen at 5%). With thousands of stores, hundreds of warehouses and over two million employees, Wal-Mart has in the last five years managed a profit margin of just 3.5%. The story is no different for any other major brick & mortar retailer, American or desi. Cool-kid-on-block Internet retail, on the other hand, thumbs a nose at the old-fashioned ways and gives the distinct impression that it can do much better. There's just one small problem. The bellweather Amazon, for all its buzz, seems unfortunately to have done much the same (indeed, a little less at 2.48% over the same period); nor has any other sizeable virtual retailer done much different. What gives? The law of unintended consequences, that's what. Lets take two of the most discussed items – rent and inventory. Mind you, thi

Opening Windows

Walls between work and life have broken down. Companies have not noticed. Work and leisure used to be quite distinct once upon a time (and that wasn't so long ago either). Work was carried out at designated hours in the workplace, with tools that the employer provided; home was spouses, kids and paid vacations. Even where you carried work home, it usually meant a temporary exile to the kitchen table. Once, only artists and rockstars lived without such boundaries. This, of course, is long gone. Laptops and telecommuting started the blurring process a couple of decades ago, but things really went south with the advent of  the smartphone. Uniforms gave way to business formals, yielded to business casuals before finally jumping off the roof entirely when the flip-flopped dotcommers took over. Work texts were shoved between bites of dinner, treadmills served as venues for conference calls, angry birds flirted with corporate emails and social networking finally nailed all those coffins f