Picture the scene: You’ve just been on a wonderful vacation it’s been a great time to relax and do something you love, but now you are walking into your place of work.
Waiting for you is a mountain of emails and you want to get right to it.
You take out your iPad, Android tablet or open up your laptop and turn it on.
Then it hits you, those words you dread: “Your password has expired”.
Today is the last day you want to be changing your password. You’ve got enough to think about, but you have little choice. You wonder whether you should have reset your password before you went on vacation but you’re not sure that would have made any difference.
After fighting with the complicated set of rules that define what your password can be, you eventually pick a new one. For the rest of the day, and the next few, you try to remember to type the new password rather than the old one. I characterise this as The Four Ages of Remembering a New Password.
Regular password expiry is a common requirement in many security policies. However, in CESG’s Password Guidance published in 2015, we explicitly advised against it.
(Read more: The problems with forcing regular password expiry)
Scheduled password expiry has been a dogma of enterprise IT security for many decades. It’s so embedded into the fabric of the IT landscape that it sounds scandalous for an organization as esteemed as the CESG to challenge it, but challenge it they have.
The argument that they make, in summary, is that the “usability costs” of regular password changes makes people adopt mechanisms to cope with the changes that themselves lead to other security vulnerabilities:
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.
The CESG isn’t recommending that organizations don’t worry about password vulnerabilities; they are recommending that organizations use other measures that do not involve scheduled password expiry and have a lower “usability cost.” They are proposing measures that they believe match better to the modern vulnerabilities that passwords experience.
The following diagram highlights what they believe are the vulnerabilities and the measures:
Speaking as someone whose core skills are in the workplace and productivity arena (with a lot of experience working with customers who are very security conscious though not as a security expert), these approaches make far more sense than password expiry. Whilst the approach of regular password expiry is embedded in corporate IT, it isn’t in places where you might expect it to be if it were such a good approach.
My bank doesn’t ask me to change my password regularly; it makes sure that I have a complicated password that I can understand by making me use a password and a pin. For sensitive transactions, it makes me use two-factor authentication. Amazon doesn’t make me change my password regularly. When I log on to twitter from a new device, it sends me a message to let me know and to confirm that it’s really me. All of these approaches have a far lower “usability cost” than the regular password change, and it’s those approaches that the CESG is advising UK government organisations to adopt.
It really is time to stop regular password expiry.
(I thought I would explain how I come to know about this advice. Firstly, I saw it back in September when the CESG published it because it was shown on their twitter feed. However, being a busy man, I forgot all about it. Then the other day Chris Swan and Stuart Downes highlighted the reiteration of the advice on their twitter.)
Graham Chastney is a Technologist in CSC’s Global Infrastructure Services. He has worked in the arena of workplace technology for over 25 years, starting as a sysprog supporting IBM DISOSS and DEC All-in-1. Latterly Graham has been working with CSC’s customers to help them understand how they exploit the changing world of workplace technology. Graham lives with his family in the United Kingdom.