Policies that require users to change their password every couple of months do nothing to increase security. Instead, these policies say quite a bit about the technical philosophy and capabilities of the company or administrator(s) in charge. They say, “I’m a point-and-click administrator” and “I don’t understand security.” I’ll try to make the case that a rotating password policy does nothing to protect against these attacks.
Lets look at a couple of ways in which passwords are often compromised.
- A hardware or software based key-logger / virus / spyware is harvesting passwords.
In this case, the employee or user types a password on a compromised machine, either at home, at a hotel, Internet cafe or on a friend/family members computer.
- Password is obtained by someone sniffing network traffic.
This occurs when only making use of a plaintext protocol.
- The server’s password list is compromised.
You had an SQL injection vulnerability in your web app or your password file was compromised and someone managed to get the hashed list of passwords. If some of the passwords were simple and a basic hash function without salt was used, then some of the passwords could be obtained by a hash-table dictionary or brute force.
- Password was so simple that someone guessed it or that it was brute forced.
This is rare, but most people who don’t understand security think this is hacking thanks to improper portrayal of hackers in movies.
There are plenty of other ways in which a password can be compromised, but these will suffice for now.
The first and only question that needs to be asked in order to debunk the rotating password policy is this:
Once someone’s passwords is compromised, how does changing it six months later stop the attacker from using it today, tomorrow or next week? Even if the attacker is selling password lists on the black market, every criminal knows a list older than a couple days is useless.
A second point demonstrates the ridiculous nature of forcing people to change their passwords:
When you force anyone to change their password every couple months and demand that it be some complicated combination of alpha-numeric characters, you’re forcing them to write it down, and most uneducated users will leave their written passwords in a cubicle.
A better solution
Two factor authentication is the way to go if you don’t mind inconveniencing people and want to enforce a serious password policy. Two factor authentication requires two things: a memorized password and a physical item that generates a one-time token unique to the user and the time the user is logging in. Usually this is accomplished with a little device that can go on your keychain, but now smart phone apps are capable of providing the same thing. I installed Google Authenticator on one of my servers.
With two factor authentication, even if someone obtains my password, they won’t be able to login without the addition of the physical device I carry around in my pocket. Can two factor authentication be broken? Yes, someone can use one of the methods above to steal my password, then hit me over the head with a hammer and take my device. Someone could also obtain the private key used to generate my one-time tokens, or break the algorithm or even obtain physical access to the server!
Security isn’t about making it impossible to break in. At the end of the day we can concoct a zillion scenarios where even the pentagon could be overtaken. Security is about plausibility and probability. The plausible and probable methods of compromising a machine are not protected by a rotating password policy. They are protected by two factor authentication. So, it’s safe to say that anyone who enforces a rotating password policy probably didn’t think it through.
An added note: real security comes from educating users. I am writing from a perspective that believes most users will never be educated.