Forced password resets have been a common feature of password policies for a long time and are still widely used. However, Microsoft and the NIST password guidelines, recommend doing away with password rotation policies, claiming they don’t improve security – and can actually make it worse.
Despite the recommendations to do away with forced password changes, many companies remain resistant and some cybersecurity frameworks still require them. There are several reasons for this reluctance, but most lie in the perceived benefits of password rotation policies, versus the perceived risks of abandoning them. This is why we want to shed some light on the pros and cons of forced password resets and their viability in the digital age.
The employees within a company are not static, but always fluctuating. Some employees will leave the company, and new ones will take their place. Forcing password changes can ensure that former employees can no longer still access company systems. This is more of an issue for teams where one account may be shared by multiple employees. Of course, password sharing isn’t recommended, but it is a common practice.
According to Yubico’s 2019 State of Password and Authentication Security Behaviors Report, 69% of respondents share passwords with colleagues to access accounts. The credentials are often shared with the other team members to avoid problems that arise when someone is off sick or on vacation. However, a more secure solution would be for every employee to have their own account to a system or to use a PAM (Privileged Access Management) tool for system-generated passwords that are rotated and logged automatically.
Attackers can gain access to passwords by using a variety of methods. They might use brute force attacks, dictionary attacks, rainbow table attacks, social engineering, phishing, malware, spidering, and more. By using forced password expirations, you reduce the window in which the attacker can use your password before it resets. But since attackers can do substantial damage in a short amount of time, there is no realistic password age limit that would be viable. The SANS blog summarized it as follows, “when the bad guy gets your password, they are not going to wait the required “90 days”, they are going to leverage it within hours. So by the time you get around to changing your passwords, the bad guys are long gone.”
IT Admins are usually very competent when it comes to securing and protecting shadow password files (Linux) and SAM files (Windows) where user credentials are held. However, backups are a common and necessary feature of the modern business landscape, and security around backup files can often be more relaxed, particularly for older backups. If one of these older backup files is breached, the attacker will gain access to the usernames and passwords of users as they were at the time the backup was taken. These credentials are often encrypted or hashed, but with computing power increasing at a rapid rate, it’s now much easier and quicker to crack these algorithms. With forced password rotations, none of the passwords would be the same (in theory) so the attacker would only have access to usernames, significantly reducing the impact of the breach.
In an ideal world, all users would pick a unique and complex password every time they are prompted to create a new password. However, this isn’t the world we live in. We’re living in the digital age where we have to remember multiple username and password combinations just to do our jobs or experience the benefits of the modern world in our personal life. In 2015, the average user had 90 online accounts. The number was even greater in the US, where there was an average of 130 accounts associated with a single email address.
We can only assume that the number of online accounts we hold is even greater between personal and work accounts. Google recently found that 65% of people reuse passwords across some, if not all, of their accounts. When users are faced with remembering so many passwords and they also have to remember a new password every 30, 60, or 90 days, they are much more likely to pick a weak password or a slight variation of their previous password. Users also get frustrated with the process of resetting their passwords and remembering new ones on a regular basis.
According to the FTC, “There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.”
Forced password expiration policies are no longer recommended by the industry leaders in cybersecurity best practices. However, despite this, 77% of IT departments are still expiring passwords for all staff quarterly. It’s estimated that a single password reset costs $70 in IT Help Desk labor. When you consider that 20% to 50% of all Help Desk calls are for password resets, it’s easy to see how significant costs are incurred for businesses.
As we touched on earlier, a benefit of password rotation policies is that they restrict the time-frame in which an attacker can act when they obtain login credentials. This was true in the past, however, it’s becoming less and less useful as an anti-breach tactic as attackers tend to use fresh data from other breaches to attack.
A more modern approach includes password monitoring software and credential screening software that can continually detect compromised passwords. These tools significantly reduce the chance of a successful breach, and much more so than simply waiting out the clock for a password to expire.
The goal of a well-functioning cybersecurity policy should be to protect your systems by making a breach difficult for attackers to execute while maintaining a frictionless experience for staff. It’s now easier than ever for aspiring attackers all over the world to obtain access to powerful computers, advanced tools, and sophisticated techniques. This has made securing our systems considerably more difficult than it was a decade ago.
When faced with the risk of data breaches, it’s common for companies to try and implement as many cybersecurity policies as possible, essentially a “cover all bases” approach. However, we have to continually analyze our policies and realize when they are no longer fit for purpose.
With forced password resets, that time has come for reconsideration. Password rotation policies burden staff and IT Departments without providing a significant security benefit. We now have more advanced tools like exposed password screening services that significantly improve security without these burdens.