The importance of password expiration is an interesting
topic for me. It’s
all over the place online – and rightfully so. There are tons of questions floating around
out there: what is the best duration for a password, should be the same
expiration rate for each user, is password expiration beneficial. It can sometimes be a bit overwhelming to
look at. That being said: there are also
areas surrounding the importance of password expiration that are somewhat
debated (much like the last question above). In that regard, I would like to
take a look at an older article I found interesting and debate some of the
claims therein. Catch up after the jump!
The Importance of Password Expiration – Schneier
Bruce Schneier has his own blog on security issues, and has
been blogging since 2004. He is
definitely an expert on security, with multiple books and articles under his
belt, but he has one article out there that brings up just a couple points that
I wish to counter on my own. The article in question –
Changing Passwords.
Let me start out by saying this: Granted, the article is a
little dated. However, I think some of
the points therein are of the type that is still debated today. Just take a look at the duration of the
comments and how vehemently people debate down there – it is definitely a hot
topic.
Without picking apart every piece of Shneier’s article, I’ll
just list out the three points of issue I take with it. From there, we will look at why I have an
issue, and my opinion on the matter.
· First Point – Expiration Policy Promotes Easy to Guess Passwords
I’m actually half on the fence on this point. Shneier says that, “…if you force people the
change their passwords regularly, they’re more likely to choose
easy-to-remember – and easy-to-guess passwords than if they can use the same
passwords for many years.” Now, I full
agree that a password expiration policy that is too rapid will definitely
promote this type of behavior, but that is an issue with the timing, not the
theory. There is a reason
password policy best practices is a popular subject of inquiry. Furthermore, nobody should be using the same
password for anything for a term defined by years.
No matter what you choose as a password,
unless it randomly oscillates like some next-generation self-generating code,
it will eventually be cracked. It’s not
even really that hard these days.
Crackers have generated
multiple tools to just that, and they are only getting stronger. The
importance of password expiration is that it takes into consideration these easy
to guess passwords that people are using anyway and provokes
the user to change it in case it has been compromised. I don’t know about you, but I prefer to be
safe than sorry, and people really cannot be trusted with their own security.
 |
| Heil Hydra! |
Alright, so it isn’t that bad, but there is a reason that a
lot of companies and corporations still require password expiration policies:
it is better to look at security through a lens of preparation than to look
back it through a lens of what ifs. Years of data theft (and recent breaches)
have taught us that there is an importance of password expiration, especially
when combined with a strong authentication
solution that addresses other security risks and vulnerabilities as
well.
· Second Point – Traditional Theory Assumes a Passive Attacker
Another blurb within the Shneier essay is that, “…if a
hacker gets your password…he can access your network as long as your password
is valid. If you have to update your
password every quarter, that significantly limits the utility of that password
to the attacker.” He considers this to be an example of the traditional theory
surrounding password expiration. All in
all, like most traditions, it stands out as a relatively reasonable
practice. He follows this up immediately
by saying, “It assumes a passive attacker…that assumption no longer holds.” I
cannot tell you how infuriating that statement is to me.
Okay, true: today’s attackers have gotten bolder by the
month, it seems. Most hackers want to
get rich quick, and there are definitely a subset of attacks that follow that
routine. However, just look at the big
data breaches of the last twelve months or so, especially the Target Breach –
every bit of data points towards attackers phishing
as much information as they can after getting into the system. Sure, they install backdoors and the like,
but they hang around based on tried and true credentials as well. The
importance of password expiration is in its ability to reset the failures that
occur due to human error. Hitachi has a
nice little list
of the ways passwords may be compromised, and that’s only part of it. It’s also a similar argument against
Shneier’s point that it’s okay to use the same password for sites that don’t
matter. Which brings me to my next point…
· Third Point – Some Sites Matter More than Others
“…it’s far more important to choose a good password for the
sites that matter – don’t worry about sites you don’t care about…” Now, does
that sound like something you are willing to take without consideration? I hope not.
Here’s the thing, everyone:
EVERY SITE MATTERS.
With the integration of caching and cookies and various
other methods of tracking your movements online, almost every site that you log
into has at least a small window that points an outsider into your life. Given enough windows, a hacker can build a
door that grants access to everything you want kept away from the world. Little websites may seem meaningless, but
enough ‘meaningless’ information can add up into something solid enough to
bring your whole world down around your ears.
Your password is a key for the lock onto the various doors to your
digital home – why would you give somebody a copy to any door, even if you
might not think whatever is inside is important. Someone will find use for your junk, and
anyway, I don’t want anyone in my house without me there. That’s why I can see the true importance of
password expiration.
But hey, maybe I’m just crazy.
No comments:
Post a Comment