May 29, 2017

Password Change Myth Discounted

If your network manager requires you to change your password frequently, he or she may need to put aside the tie-dyed t-shirts and park the VW Van someplace with a For Sale sign.

Password Change Myth Discounted
Password Change Myth Discounted

And if you are a network manager who thinks a monthly password change represents a “best practice,” Professor Eugene “Spaf” Spafford would like you to kindly let go of the mainframe computer and come join the rest of us in the 21st Century.

“Forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat – unless the password is immediately changed after each use,” Spaf posted at his blog on the Center for Education and Research in Information Assurance and Security (CERIAS) website at Purdue University.

Of course, that can be done today through the use of one-time passwords or tokens. The tradeoff would be the potential for a “lost password” being someone dropped his character-generating token in the toilet and flushed it away.

So why is your network manager such a psychotic out-of-touch maniac when it comes to forcing users to change passwords on a monthly or quarterly basis? He’s just following orders; unfortunately those orders were given at a time when the Mohawk had certain appeal as a hairstyle, according to Spaf:

Back in the days when people were using mainframes without networking, the biggest uncontrolled authentication concern was cracking. Resources, however, were limited. As best as I can find, some DoD contractors did some back-of-the-envelope calculation about how long it would take to run through all the possible passwords using their mainframe, and the result was several months.

So, they (somewhat reasonably) set a password change period of 1 month as a means to defeat systematic cracking attempts. This was then enshrined in policy, which got published, and largely accepted by others over the years. As time went on, auditors began to look for this and ended up building it into their “best practice” that they expected. It also got written into several lists of security recommendations.

What happens in a business full of non-techie types is a network full of easy to remember passwords that users create one time, and then add a number or letter to at the end every time the “system” tells them it’s time to change their password.

Spaf wrote that a monthly change has little to no impact on network security. To best address security means “policies should always be based on a sound understanding of risks, vulnerabilities, and defenses” rather than the “folk wisdom” of changing a password.

This represents an argument I had off and on during a lengthy run as a sysadmin. Weary of continually having to reset passwords for salespeople every quarter, I asked several times that we make people learn a single, hard-to-crack password and be done with it.

One would think I’d suggested a round of pay cuts at the executive level and Sundays off each week. We were expected to follow “best practices” as recommended by the auditors.

I’m glad the only contact I have with the 70s these days is when I’m listening to a classic rock station on the radio.


Add to | DiggThis | Yahoo! My Web |

Get all the updates in RSS:

About David Utter 902 Articles
David Utter is a business and technology writer for SecurityProNews and WebProNews.