I recently touched on the GCHQ/CESG password report about passwords — ‘Password Guidance – Simplifying Your Approach’ — a government best practice document aimed at UK organisations and designed to help protect against password breaches.
Should changing passwords be mandatory?
As a general guidance document, it makes some valuable suggestions and recommendations on password practices. However it was interesting to see the comments around changing passwords. It says that “most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days,” but suggests that this “imposes burdens on the user” and “carries no real benefits.”
While we all agree that passwords in themselves are highly insecure and poor password practice can compromise systems, the suggestion of not implementing a password expiry policy is probably heresy to many sysadmins and IT security professionals.
So, should we force users to change passwords, and if so, how often? It’s not an easy question to answer and the industry seems divided in its opinion — for some, requiring people to change them often is bad, as it may encourage poor password choices and re-use of passwords on different sites, while others suggest it should be monthly or more for access to corporate applications and systems.
The practice of enforcing regular password change came in many years ago — in fact, having a password change policy used to be one of the first things checked by auditors when they came to visit. In those days no one was using cloud applications (in fact, the cloud was still called the Internet then) and mobile working was pretty much unheard of. Times have changed and so has the way we work.
In a recent Centrify survey, it was alarming to see how much password sharing between employees happens — often to enable a colleague to do work they can’t usually do from their own account. Regular enforced password change would help ensure the person the password is being shared with would be unable to log in if they leave the company, albeit there would be a window of time when they still could.
Similarly, if the user sharing the password leaves and de-provisioning processes are lax (also highlighted by our survey) then password expiry may help stop them gaining access to resources after they’ve gone (although, again, this isn’t foolproof).
Time for a change
It’s true that changing passwords frequently does put pressure on users who are forced to think of new ones — and then remember them. The problem really is not the person, of course, but the password. We know it’s time for change, we understand that passwords are the source of too many data breaches, and we know they are ill-equipped to protect us and our information in today’s online world.
However, there are many out there that still use them as their primary source of identity and access to data and business applications. As an industry we should be doing everything we can to encourage companies to think about how and why they use passwords, but we should also point them towards more secure ways to authenticate people, such as using multi-factor authentication, biometrics and implementing single sign-on (SSO) to avoid users having multiple passwords and usernames.
We should be educating users and telling them that it’s not just about changing a password when the prompt next pops up on the screen, but changing the way they view and use passwords.