Are they good practice or counterproductive?

By Sarosh Petkar, BS/MS Student, Computing Security – RIT

INTRODUCTION
Mandatory password changes are an age-old security practice within numerous organizations.

This practice is described as a mechanism to lock out unauthorized users who may have managed to social engineer the user’s password. Most office employees have to deal with this, as their office system administrators keep sending annoying reminders to keep changing passwords periodically. Is this a requirement or practice that has been so ingrained that its acceptance is no longer questioned?

As per widespread opinion, periodic password changes are theoretically a good idea as they ensure the security of a user’s password. This opinion is based on the belief system that constantly changing passwords would prove to be a herculean task for nefarious actors to figure them out. But in reality, these regular passwords changes tend to be an inconvenience to users, and at the same time alters user behavior to choose weak passwords, as they know they will have to change it in few months time.

BACKGROUND
A recent University of North Carolina (UNC) research, outlined by FTC Chief Technologist Lorrie Cranor agrees that doing periodic password changes can be counterproductive, as it encourages poor password selection by the users. The study suggests that when people are forced to change their passwords periodically, they tend not to put much thought behind it.
Users are inclined to choose passwords that are simple to compensate for the frequent changes required of them.

According to the UNC study, people have a habit of choosing passwords that follow a predictable pattern, which is technically called ‘transformations.’ These transformations are characterized as the addition of a number, deletion of a special character or switching the order of the numbers. These researchers obtained cryptographic hashes (of all passwords) to around 10,000 expired accounts whose users had been required to change their passwords every trimester.

By studying the data, the researchers identified common techniques that users deploy when changing their passwords. For instance, a password like mrcoolguy@1 (without the quotations) after alteration ended up being Mrcoolguy@1 on the second change and so on. Further, it may be changed to either mrcoolguy@11 or mrcoolguy@2 and so on. These iterations do not aid in increasing the complexity of the password significantly.

Additional research at Carleton University suggests that if an attacker is already aware of your password, then it is highly unlikely that he will be warded off by a simple password change. In some, cases an attacker might already have installed some malicious keylogger to grab all future passwords. So changing passwords in this scenario would be an exercise in futility. Finally, over the past few years, organizations such as the National Institute of Standards and Technology (NIST) in the US and the National Technical Authority for Information Assurance (CESG) in the UK have concluded that mandated password changes are often ineffective or counterproductive.

RECOMMENDATION
So the question remains, how often does a password need to be changed? Unfortunately, there is no definitive answer. Regularly changing your password is essential if you use the same password everywhere and you have a strong suspicion to believe that your password has been stolen. This should be done on all accounts that use the same password. Rather than changing the single password regularly, a wise choice would be to use complex unique passwords for all applications.

However, remembering unique passwords for all the applications is quite impossible – hence a password vault like 1Password or LastPass must be used. These third-party applications come with their own set of issues, but at this point, it is a case of making a conscious risk acceptance decision to eliminate the risks inherent in password reuse.

Which begs the question, what are good practices to use when creating a complex password? Well, known, security and privacy expert Bruce Schneier recommends the following:
1. Never reuse a password you care about. Even if you choose a secure password, the site it is for could leak it because of its own incompetence.
2. Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.
3. Beware the ‘secret question.’ You don’t want a backup system for when you forget your password to be easier to break than your password.
4. Finally, if a site offers two-factor authentication, seriously consider using it. It is almost certainly a security improvement.

CONCLUSION
In conclusion, the first step towards password security is to assess the risks and benefits to your organization. Next, consider deploying alternative methods towards increasing security. Most experts agree that mandating password expirations is an inconvenience to end-users without any benefit to security and may even create a less secure environment for the previously stated reasons.

What should be done?
Organizations must encourage users to make an effort to create strong passwords that they will be able to use for a longer period. This policy in combination with periodic security awareness training, well-chosen salts, and limited login attempts will help to increase password level security.

However, the gold standard that companies should establish – especially if the enterprise maintains sensitive data is to implement either biometrics or multi-factor authentication.
For example, there are some token generators that provide “three-factor” authentication (username, password and token code). Some systems might even require you to answer some pre-negotiated questions or select a specific photo from a group of images. These add an extra layer of security to the user accounts.

I believe it is crucial to find a balance between convenience and keeping corporate information secure. In that respect, multi-factor authentication seems to be the best approach for moving forward. Experts like to rant about how the end-users are the weakest component of enterprise security. But, with MFA becoming as ubiquitous as tweeting for millennials, this mechanism is already at the user’s fingertips.

Recently, even Apple has sent out friendly reminders to encourage its users to enable 2FA to provide an extra layer of security for its iCloud data as well as for all other devices. Thus, on comparing the convenience of the standard username and passwords with multi-factor authentication methods, it looks like the latter seems to prevail.

Ergo, organizations should ruminate about the pros and cons of mandatory password changes and then consider making calculated user-centered changes to their password policies instead of forcing its employees to constantly keep changing their login passwords.

About The Author
Sarosh Petkar is a BS/MS student of the RIT Computing Security department. He is on his way to Mountain View, CA for a summer internship with Veritas and has previously worked with Covermymeds in Columbus, OH. His interests include reverse engineering, network security, and cryptography. Sarosh Petkar can be reached online at sap6224@g.rit.edu