A few days ago, Microsoft announced that it’s considering dropping password expirations from its security baseline in Windows 10. NIST’s Authentication and Lifecycle Management guidelines recommend against password expiration:
“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”
For years, security recommendations included regular password changes, at least every quarter. Has the security industry been wrong this whole time? Can we get rid of that annoying “your password will expire in 7 days” notification now? Maybe.
Password expiration policies intend to limit the damage from compromised passwords or hashes. If an attacker steals a password, expiration limits the length of time that that password is valid or the amount of time available to crack a password hash. [see a future post for more information about password hashing]. Any reasonable expiration time adds little security benefit, though. Once an attacker has your credentials, he’s likely already done the damage once the policy forces an expiration. And if you know that a credential was stolen, the first step is changing it.
Think about the last time you changed your PC password. If you’re like most people, you had to write it down on a post-it for the first few days. That post-it created a vulnerability where there wasn’t one before. Worse, if password complexity is enabled, the password is probably like your last three, just to meet the complexity requirements. For example, [email protected]$w0rd meets the default Windows complexity requirements but is a terrible password as those letter substitutions are among the first things checked during a password guessing attack.
What’s a good password? How about “expert stressed threats shrink”? The length of the password is the most important factor, with recommended minimums of at least 16 characters. The example above would take millions of years to brute force with current technology, and you don’t need to write it on a post-it. Combining passwords with multi-factor authentication reduces risk even further as a stolen password along doesn’t grant access to the device or service.
Returning to the question of whether you can stop changing password so often, it depends. Compliance frameworks haven’t all implemented rules reflecting this concept. For example, PCI section 8.2.4 requires changing passwords every 90 days. HIPAA doesn’t specify an exact expiration time, but does mention that policies need to address password expiration.
Capstone can help you to assess your existing authentication policies, configure multi-factor authentication, and navigate regulatory requirements. Email us at [email protected] or visit us at www.capstoneitinc.com/contact-us/