It is no secret that password expiration annoys just about everyone on the planet. Even with the advent of SSO and Password Vaults to help ease the pain…its still an unpleasant experience. I change the password to my bank account and then I have to re-validate my financial aggregator followed by my mobile and desktop apps and pretty much everything else that relies on a security token associated with that credential.
Having worked in the security industry building Identity Management software for 20 years, I have a few thoughts about this.
Why is password expiration even a thing?
Passwords went through an evolution. First it started with just having any password in the 70s–90s. Then there came the rainbow tables and availability of brute force hacking software in the late 90s, which led to the following reaction by IT organizations:
Reaction #1: If a brute force attack takes X days to crack a password (or a backup of a password file is compromised within that same period), enforce a policy that passwords get changed before that has a chance to happen.
Reaction #2: People are using weak passwords (their name, birthdate, etc…), therefore, enforce a password that must contain at least X Upper, Y lower and Z numbers. The intent is to increase the entropy of the password making it harder to guess.
Computers are getting faster and faster. Access to large amounts of compute is getting cheaper by the day. Staying ahead of brute force attacks is ultimately an unsolvable problem. Forcing expirations doesn’t really solve anything. At some point, expirations cannot outpace the time it takes to crack a password. I’d argue we’ve already reached that point given that it only takes a few days to crack most “strong” passwords of a sufficient length that people can still remember. Let’s just concede to the fact that if someone really wanted to, they could probably crack your password long before you are forced to change it.
Secondly, forcing password semantics is also troublesome. In an effort to increase entropy, human behavior actually negates the reasons why the policy was put into play. You wouldn’t believe how many passwords are out there that have the value “password” or “Password1” to satisfy composition rules (https://cybernews.com/best-password-managers/most-common-passwords/). In fact, I’ve noticed over the years that users will usually start their password with a capital letter and end it with numbers just to satisfy the password composition rules. That gives password crackers a leg up (26 possible choices for the first character, 10 possible choices for the last). Adding a symbol character requirement makes it even worst because it will be at the end or a substitute for the letter they most look like (lets be honest, most people will pick a symbol above the number keys). Who has ever used “$” for S, “@” for A and “!” for I? Probably everyone at some point.
Until someone solves the P=NP problem, increasing entropy is the key to secure passwords. Unfortunately, we need to take the human out of the picture to get to the levels of entropy necessary to stay ahead of the game. A password of 100 random ones and zeros is going to have an entropy of 191 bits, which is far greater than an 8-character random password that contains characters from the entire ASCII character set (entropy = 38 bits). In fact, a password using common popular composition rule requirements would need to be 20 characters long to match the entropy of the numeric-only password of 100 ones and zeros. If we rely on humans to “remember such passwords”, then adding in a password expiration is doomed from the start. Because the password needs to contain odd characters and be so long to begin with, humans will most likely just repeat the last character or stick another number onto the end so that they don’t have to figure out how to remember and quickly type a new random string of characters. This has almost zero effect on the time it takes to crack it. If you add in password history to keep repetition from happening, then you really frustrate the user and they may not be a user of your system for long.
My thoughts on the solution. Ask people to use a password vault and let the machines decide what the passwords should be to get to the desired entropy level. Am I alone in this way of thinking? Well, just look at the rise of Privileged Access Management (PAM) products as a natural and necessary reaction to solving this dilemma for enterprise service accounts. A highly secure environment typically will have IT staff that do not even know what the passwords are to their critical systems. They just know that the passwords maintain a certain entropy level and automatically cycle out on a frequency period calculated in minutes to hours.
Is that it?
Nope. Passwords are not enough. Two-factor and three-factor authentication is becoming critical. I’ve personally come to the point where I never rely on just passwords for my critical logins (such as when I access my financial institutions or even my own password vault). If they don’t provide 2FA, I take my business elsewhere.
Two & Three-Factor Authentication
There is a popular phrase used in security circles: “Authentication should prompt for ‘something you know’, ‘something you have’, and ‘something you are’”.
Passwords are an example of representing “something you know”.
A Yubikey, Phone Authenticator App or RSA token (I feel old) all represents “something you have”.
Fingerprint and iris scanners represent “something you are”.
Enforcing all three factors is the most secure way of doing business because the hacker needs to do a whole lot more than run a password cracker tool. Even satisfying just two of the three factors will increase your security posture 100-fold or more.
So, back to the original concern…why is password expiration a thing? Bottom line: When it comes to users, it is old-school thinking and more harshly, pure dogma with very little effectiveness. As long as humans need to “remember” them, password expiration will become more and more of an anti-pattern as the requirements on password composition grows to keep moving the password entropy curve. Like all things paved with good intentions, the reality of password expirations has turned out to be a whole lot messier, painful, and ineffective…not to mention, riddled with unnecessary calls to the support desk to get an account unlocked from a failed password reset.
Instead, create high entropy passwords, store it in a secure password vault to remember it and get yourself and your team onto the 2FA and 3FA train. Force your software vendors to do the same or take your business elsewhere. The tools these days to satisfy the user experience around 2FA & 3FA are getting better and better. In my opinion, 2FA and 3FA is light-years ahead in terms of its security effectiveness and logistics compared to changing a password every X days.
What are your thoughts?