The main reason that forcing users to change their password on set time intervals is a bad security practice, is that it forces users to choose weaker passwords. The thought process is that a password will get stale, and the possibility that the password has been compromised increases over time. If you are constantly changing your password, then any historical password being breached wouldn’t be an issue. In reality, the forced password change simply makes people append numbers to a base password every time. For example changing from password1 to password2 or password3. This is a simple formula for an attacker to figure out. If a password is breached in anyway, one of the first things an attacker will try is combinations of a password with incremented numbers appended to the end.
It makes its more common to require a password reset. It makes people reliant on a helpdesk password reset option. If this becomes a common practice, the user will get worn down and lead to the problem described above.
Requiring a fresh new password every three months means that the user is incentivized to write it down. Why commit a temporary secret to memory if you will not need it long term? It is easier to write it down in your note’s on your iPhone, or on a sticky note in your drawer. In the best case scenario, the user will keep it written in a secure password manager, but I imagine the first two depictions are the more common scenario.
Short passwords are less secure in every way than longer passwords. Even if you swap in special characters or numbers, a shorter password is easier for an attacker to brute force. Longer passwords that are easier to remember are better than shorter passwords that have complexity. Check out the password cost calculator here: https://passwordbits.com/password-cracking-calculator/
Constant rotation of passwords will increase the number of legitimate failed password attempts. This drives up the noise of a user accounts failed authentication attempts. When an attacker wants to gain access to an account, they will likely make many attempts at logging in with a good guess of the users possible passwords. If the user has a history of incorrect login attempts relatively often already, then the attacker’s failed attempts will blend in with the legitimate attempts by the user that were wrong. If the login history is pretty clean with few failed login attempts due to the lack of passwords forcibly being changed, the attacker behavior will stand out way more clearly. Even if the attacker is unsuccessful at gaining access, it is helpful to have a clear signal that someone is trying to access their account.
Password change requirements are outdated. NIST even revised their guidance on the issue recently stating “NIST recommends that businesses enforce password expiration and password resets only when a known compromise has occurred, or every 365 days. The shift to longer password life is intended to encourage users to generate longer passwords that are harder to crack.”
With modern encryption libraries that are better at storing passwords secretly, password managers being adopted and encouraging unique passwords, and multi-factor authentication, the requiring of password changes seems like more of a hassle than its worth.
Leave a Reply