A recent report from Microsoft Corp.’s research division says that many IT shops have gotten out of hand with regularly scheduled password changes.
The study argues that while IT security advice is complex and growing, the benefits are actually speculative and moot. “For example, much of the advice concerning passwords is outdated and does little to address actual threats,” wrote Cormac Herley, a principal research with Microsoft Research and the report’s author.
“Users are never offered security, either on its own or as an alternative to anything else,” he added. “They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security.”
If you have some time, the lengthy report is available to read here.
With passwords specifically, Herley said user education is not working, as scheduled password updates offer little benefit in exchange for the effort and time they requires. He added that it is “entirely rational” for users to disregard security advice from IT shops.
“Insisting that users choose a unique strong password for each, which they change often and never write down is clearly a large burden,” he wrote.
Herley later writes that changing a password will only help if the attacker waits weeks before exploiting the password. “So this amplifies the burden for little gain,” he wrote. “Only if it is changed between the time of the compromise and the time of the attempted exploit does (changing the password) help.”
While I agree that security experts often overstate the risks and delve into scare mongering, Herley’s password example is a weak one.
Requiring a user to change their password every 60 or 90 days solves a number of issues.
The enemy is often within at most organizations, as we’ve all heard of stories about one rogue employee stealing sensitive data on a USB stick and taking it off-site. The same goes for passwords.
In the office setting, most passwords are cracked from within, with one co-worker attempting to snoop at another’s e-mail or private files. It might also reduce the instances where an employee selects the “always remember password” feature on their system.
If some nefarious co-worker is trying to crack your password, changing it will at least halt the process and force that person to start over again.
Of course, that’s only if you aren’t simply alternating between the name of your kids or favourite sports teams. I don’t even know where to begin with the people who write their passwords on a sticky note for all to see.
Putting aside the internal threat, today’s modern cyber criminals often covertly steal passwords, leave a backdoor Trojan horse, and infiltrate your computer at a later date. At the very least, being forced to change your password will limit the amount of time an intruder can use it.
Another classic mistake is when a user just adds a number to the end of their existing password. This doesn’t force the hacker to start over and negates the time spent on changing the password.
The key is to create a strong password at the outset.
I highly recommend checking out these tips from Mac OS X Tips, which contain great advice on how to create a difficult to crack, but easy to remember password. Don’t be afraid of the article, it’s actually relevant to all PC users.
One of the most important tips I found there was to try and associate my passwords with a story. So, for example, here’s a pretty unique password that I just created: IreatiP4G!.
I developed it by memorizing the following sentence: I’m really excited about the iPhone 4G!
This phrase also gives me a built-in timetable to change my password, as I can create a new one after the 4G comes out. Using this technique will also prevent you from simply rotating a few easy-to-remember passwords, which I think many people are guilty of doing.
Breaches are more susceptible on systems that allow users to create weaker passwords.
Only a few years ago, many sites allowed you to register passwords with four to six letters. Today, some sites require you to enter eight characters, made up of both letters and numbers.
In the end, despite what Microsoft Research is telling users, regularly changing your passwords is not a bad thing — assuming it’s done properly. Sure it’s the “be all, end all” of IT security, and it certainly won’t make up for poor network management, but I’m not convinced it’s such an overwhelming burden on employees.