Best practices have long demanded that policies be created to force passwords to expire periodically. I have personally always been a little bit skeptical about forced password expirations, but the practice is so deeply engrained in IT culture that I have never wanted to go against the grain by advising against the use of such policies. Somehow, doing so just seemed irresponsible. Recently, however, Microsoft published its security baselines for Windows 10 1903 and Windows Server 1903. In that guide, Microsoft has recommended that password expiration policies no longer be used. The question is why.
To understand the rationale behind this somewhat unexpected move, you have to think back to the early days of IT. Back then, it was a lot more difficult to detect the use of stolen credentials. That being the case, password expiration policies were implemented as a way of ensuring that if someone did manage to steal a password, the stolen password would only be of use to them for a limited period.
By today’s standards, this approach is ludicrous. If someone manages to steal a password, they can do untold damage within a matter of minutes. Is it really smart to let that person have free reign of the compromised account until the password expires in a few weeks? Of course not. Security breaches need to be addressed in real-time.
Security is weakened, not strengthened
On the flip side of the issue, requiring periodic password changes can actually weaken an organization’s security. I can’t help but think back to an organization that I worked for at the very beginning of my IT career. Like every other organization that I can think of, this particular company required periodic password resets. However, they did it in a way that was completely different from anything that I have seen elsewhere. Rather than requiring the user to come up with their own password, the system assigned passwords to users. These passwords were made up of two random words (usually one or two-syllable nouns), separated from one another by a space. An example of one of the system generated passwords might be “church hotel”.
One thing that you’ll notice about this sample password is its simplicity. Even though the password is 12 characters long, it is made up of two, one-syllable words, both of which are found in the dictionary. Even so, I can vividly remember people having trouble remembering their passwords. I once had to have my password reset because I could not remember the new password that the system had assigned to me.
Now, compare the simple password that I just showed you to what a lot of organizations required today. It’s not uncommon for a modern password to be twelve characters long, just like my example password from so long ago. What’s different, however, is that modern passwords tend to be completely random combinations of upper and lowercase letters, numbers, and symbols. If users have trouble memorizing a pair of simple, single-syllable words, then just imagine how much more challenging it is for a user to memorize a complex string of random characters, especially when the user’s password changes every few weeks.
In my opinion, there is nothing wrong with complex, random passwords. Passwords need to be sufficiently complex to avoid being compromised during a dictionary attack or a brute force attack. However, requiring the use of long, complex passwords and also requiring frequent password changes is just asking for trouble. Most users are going to have trouble remembering their current password, which either leads to constant password resets, bad password habits, or both. If you need a concrete example, then look no further than the Hawaii Emergency Management Agency, which received sharp criticism after one of its employees was photographed in front of a computer on which the user’s password was written on a sticky note.
The most audacious example of reckless password use that I have ever personally seen was a situation in which a user used the Windows 3D Text screensaver to display his password. You just can’t make this stuff up.
In any case, password change policies are a relic from days gone by and were intended as a mechanism for limiting an attacker’s access to a compromised account. Today, however, password-related security breaches are far easier to detect than they once were. If an organization is confident in its ability to detect an account breach, then there is no reason why a user should have to change their password unless their account has been compromised.
Future of passwords
The idea that password expiration policies have become obsolete brings up an important point. Many people consider passwords themselves to be obsolete. According to a 2012 Wired article passwords can trace their roots to an MIT project from the 1960s. Some sources speculate that the use of passwords may be even older than that.
Regardless of when passwords were actually invented, it’s fair to say that passwords have been around for over half a century. Very few IT technologies have seen that kind of longevity, and yet the concept of a password remains relatively unchanged for over fifty years. While some might say that passwords have stood the test of time, others (myself included) would say that passwords have outlived their usefulness.
The main problem with passwords is that they can be easily compromised. We’ve probably all heard stories of a password being stolen by someone who is shoulder surfing (standing behind someone as they type their password). However, the simple act of observing someone as they type their password has become increasingly sophisticated. Just yesterday, someone was telling me about an exploit in which bad actors are using thermal imaging cameras to look for heat signatures on keys to tell which keys were pressed. From what I have been told, the exploit is being used primarily on ATMs to figure out PINs, but the same basic concept could easily be applied to password theft.
In recent years, technology has given us better, more secure, and less cumbersome alternatives to password use. My Microsoft Surface Book 2 laptop, for instance, is configured to perform authentication based on facial recognition. The logon process works surprisingly well, and there are no passwords to remember. Best of all, there is little chance of someone stealing a password, because there is no password. Granted, the Surface Book 2 uses a numerical PIN as a backup authentication mechanism, but the PIN is only required if facial recognition fails, and the facial recognition mechanism works well enough that authentication failures are very rare.
Password expiration policy change: One caveat
In my opinion, the move to get rid of password expiration policies is long overdue. Requirements for periodic password changes do little good in the modern world, and might actually weaken security. Before you completely abandon your password change policy, however, it is important to remember that abandoning such policies might not be an option in regulated organizations. Some sets of regulatory requirements may contain specific requirements about the frequency with which passwords must be changed.
Featured image: Shutterstock