Too many organizations employ outmoded policies related to passwords that have been shown to be ineffective in providing security, namely, the requirement to change a memorized token on a regular periodic basis. I would like to present here various references which demonstrate that the industry standards have evolved in the last decade and do not require users to change a memorized token on a regular basis. It is best practice to require a changed password when credentials are found in other systems (I know of some orgs that use the haveibeenpwned API to provide intelligence when credentials are found on the dark web) but expiry should not be required until there is evidence a compromise has occurred.

Key paragraph from NIST Digital Identity Guidelines1

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

PCI DSS password requirements2

Requirements set in the Payment Card Industry Data Security Standards state that passwords should only be changed on a regular 90-day basis, if it is the only authentication method available (Section 8.3.9). A stronger security posture is to require multi-factor authentication to access secure systems.

FTC persuasive article against mandatory password changes3

Lorrie Cranor, ACM and IEEE fellow & Chief Technologist at FTC (2016-2017), wrote an article that makes the point of this blog post: mandatory password changes should be reconsidered. Compellingly, she details research that has demonstrated “[an] attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.”

Three different Microsoft articles make the case

Microsoft Security removed password expiration in v1903 of Windows 10 and Windows Server4

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

Microsoft 365 password policy reccommendations5

Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.

Robyn Hicock, Microsoft Identity Protection Team6

In a research article, the Microsoft Identity Protection Team identifies password expiry as an “anti-pattern” (a practice which is believed to solve a problem but in fact does not).

Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. Experiments have shown that users do not choose a new independent password; rather, they choose an update of the old one. There is evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with and then change them in predictable ways that attackers can guess easily.

One study at the University of North Carolina found that 17% of new passwords could be guessed given the old one in at most 5 tries, and almost 50% in a few seconds of un-throttled guessing. Furthermore, cyber criminals generally exploit stolen passwords immediately.

Microsoft CISO says the future is passwordless7

“I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to “we want to eliminate passwords”. But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. More importantly, it changed our design and what we built, like Windows Hello for business,” he says.

“If I eliminate passwords and use any form of biometrics, it’s much faster and the experience is so much better.”

Microsoft is moving towards a hybrid mode of work and, to support that shift, it’s making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications.

References

[1] NIST 800-63B Section 5.1.1.2 Memorized Secret Verifiers

[2] PCI-DSS 4.0 Section 8.3.9

[3] FTC Time to rethink mandatory password changes

[4] Microsoft Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903

[5] Microsoft Password policy recommendations for Microsoft 365 passwords

[6] Microsoft Password Guidance

[7] Microsoft’s CISO: Why we’re trying to banish passwords forever


About michaellamb.dev

Michael Lamb is a software engineer working at C Spire. If you have a blog-specific inquiry please create a new issue on GitHub. Feel free to fork this blog and build your own!

Get to know who I am in my first post Hello, World!

© Copyright 2021-2024
Let’s Expire Password Expiry | Michael Lamb