How to Sign In
Cengage Technology & Computing Blog
cancel
Showing results for 
Search instead for 
Did you mean: 
X
Is Password Expiration Expiring?
Scholar
1073 Views
16 Comments

[Reading time - 3 minutes 34 seconds]

 

If you were to take a poll of users, you probably would find that an overwhelming majority do not like password expiration, which requires users to change their passwords after a set period of time such as 60 days. (But if you are frustrated because you have to change your password every 60 days, I read of someone who said a previous employer forced users to change their password every 15 days!). Recently the tide has been turning against

password expiration and in some organizations it is now being phased out.

 

What is the rationale behind password expiration in the first place? Who is recommending that password expiration be dropped? Why are they recommending this? And is it a good step?

 

The rationale for password expiration is obvious: if a user's password is stolen but the victim does not know it, the thief can only use that password for a limited amount of time until it expires.

 

In order to set a basic standard for security, Microsoft for several years has published a security baseline configuration of system policies. Last week (Apr 24 2019) a draft of the Security baseline for Windows 10 v1903 and Windows Server v1903 was released. One of the recommended changes is that password expiration be dropped so that users should no longer be required to change their passwords regularly.

 

But Microsoft is not the first organization to recommend dropping password expiration. Back in 2017 guidelines released by the National Institute of Standards and Technology (NIST) recommended that password expiration should no longer be used.

 

However, not everyone is on board with dropping password expiration. The Payment Card Industry (PCI) still requires that merchants and other providers change their passwords every 90 days.

 

There are several reasons given for dropping password expiration.

 

With the new security protocols now implemented, password expiration is not considered as important as it once was. Many systems will tell you (or you can look at when you last logged in) so you would notice when somebody other than you logged in yesterday when your last login was last week. Also, the spreading popularity of multifactor authentication, better known as two factor authentication or 2FA, can also limit the impact of password theft. With 2FA you typically receive a text message, email, or smartphone app prompt asking you to verify that you indeed have just tried to log in, so if someone else has stolen your password and is using trying to use it you will know it immediately.

 

And another reason for the change is the research that shows password expiration just does not work. Why? Because users are relying on their memory to store a password and are frustrated with having to constantly memorize new passwords. And other password policies and combined with password expiration to make users even more frustrated. Many systems are set up to prevent password reuse, or "recycling" previously-used passwords (a standard recommendation is that a previously-used password could only be recycled after 24 new passwords had been used). And another password setting requires users to keep a new password for a minimum amount of time (like one day) so that they could not quickly keep resetting their password in order to cycle through 24 new passwords in rapid succession in order to get back to using their expired password.

 

Password expiration usually forces users to take drastic steps to remember their passwords. They write the new password down on a sticky note and affix it to their computer monitor, or create a new password that is easy to remember but equally easy for an attacker to break, or store the password in a file labeled "Passwords," or any number of things that made it easy for an attacker to break the password and compromise security.

 

So, password expiration actually decreases security instead of increasing it.

 

Is dropping password expiration a good step?

 

It probably is, if it prevents you from compromising security (like writing down your current password on a sticky note) and if you are using 2FA to know when someone is trying to use your password.

 

However, some security professionals are calling for a modified password expiration. Because long passwords are more secure than short passwords--even if the password is complex--some advocate that the length of the password dictates its expiration. A user who creates and uses a 30-character password would not have to change that password for 2 years. A password that is 15-25 characters in length would expire annually, while a password of fewer than 15 characters would have to be reset every 90 days. One company that tried this approach found that calls to their helpdesk for password resets declined by 70 percent, so there may be some merit here.

 

But the real solution to good passwords is not dropping password expiration. The solution is to use a password manager to store and retrieve you passwords. In that way it doesn't matter if you have to create and use a new password every 60 days. That's because you're not relying on your memory, but instead are using technology to keep your passwords safe. You could change your passwords every day and still have strong passwords that are easy to retrieve.

 

So, whether or not your organization drops password expiration, you should still use a password manager. It's the smartest thing to do.

16 Comments

I use 1Password every day so I get the need for a password manager, but here's my issue: you have to use your corporate password every time you reboot your corporate computer so you don't have access to a password manager until after you successfully login, right? So how can I use a password manager when I need to use a password (I can remember) in order to get to my password manager?

Scholar

Oh, good question.  A chicken-and-the-egg delimma. 

 

A couple of thoughts come to mind.  Perhaps have a smartphone password manager that contains that login information?  Or would you consider using a YubiKey 5 NFC (https://www.yubico.com/) instead of using a password to log in?  

Contributor

I am going to have to change my entire password from now on.

Scholar

We are forced To change our passwords every 60 days at the college and I think that’s a good thing overall…

Unique strategy @Nicholas but I bet I know what @Mark_Ciampa Is thinking: any password you can remember is be definition a bad password.  Well, you're not alone. I'm so tired of creating new passwords every 90 days that I too have a similar technique.

Scholar

Nicholas - Your system may be easy for you to remember the passwords--but that makes it easy for the attackers to break them, too.  After all, if they break one of your passwords then it's pretty trivial to then break all of your other passwords by looking for a change in an ending symbol (and yes, password cracking programs can do exactly that; I've got one right here).

 

Sandy - Changing a password every 60 days would be a good security step IF the new passwords were unique, long, random, and safely stored.  Since that rarely happens with passwords that frequently change that's why it's no longer recommended.  And here's a question to ponder: if changing a password periodically is good, I wonder how many users routinely change their passwords every 60 days for those accounts for which a change is NOT required?  I'd guess not very many.

 

Michael - I have no doubt that you have a super-strong technique for creating those 90-day passwords.  It's probably something like adding TWO digits to the end of "PASSWORD" instead of just adding one digit.  That will really fool them!  🙂 

 

 

Valued Contributor

Passwords are becoming more and more of a burden - time to move to biometrics! Just like in mobile devices now. It's indeed a challenge to come up with new and innovative passwords and then a bigger challenge to remember all of them when needed. A password manager might be a potential solution but those need to be be used with caution as well. A colleague of mine had issues with this once, hence I am skeptical and would be hesitant in using them. It is high time to eliminate passwords altogether and replace them with something that you don't have to remember while at the time that which offers a higher level of security. The technology is already here and it is called "biometric authentication". 

Scholar

Thanks for your great and very thoughtful comment.  I'll take a moment to share some of my thoughts on this topic as well.

 

I think that, despite their weaknesses, we need to be prepared for passwords to be with us for well into the foreseeable future. There is one reason for that: cost. Since it only takes one piece of hardware--a keyboard--to enter a password, there is no additional cost associated with using passwords. That's not always the case with biometrics. Whereas some biometric identifiers can use "standard" hardware input devices (microphone for voice, camera for iris and facial), other biometrics require specialized biometric scanners (for fingerprint and retina). Requiring additional hardware just to log in to a web site account using biometrics may pose a barrier for some users.

 

And to me there are still significant risks associated with biometrics.

 

First, there are still issues with the accuracy of biometrics. The false acceptance rate (FAR) or false positive is the frequency at which imposters are accepted as genuine while the false rejection rate (FRR) or false negative is the frequency that legitimate users are rejected. Biometric systems are tuned so that the FAR and FRR are equal over the size of the population (called the crossover error rate or CER). Ideally the CER should be as low as possible to produce the lowest number of accepted imposter and rejected legitimate users. But this illustrates that biometrics can allow imposters to be accepted while rejecting legitimate users. So, accuracy with biometrics remains an issue.

 

Second, with increasing frequency biometric systems can be “tricked.” Security researchers have demonstrated that pictures of an iris can fool an iris recognition system. Tricking an iris recognition system requires a picture of the authentic user’s eye to be made with a digital camera in “night” mode or with the infrared filter removed. The iris picture is then printed on a color laser printer. To emulate the curvature of the eye a normal contact lens is placed on top of the print. This can successfully trick the iris recognition system into thinking the user’s real eye is in front of the camera. Also, fingerprints can be collected from water glasses and used to trick fingerprint readers on smartphones. So, there are still ways to trick biometric systems.

 

Third, what happens when--not if, but when--my biometric profile is stolen from an online site that uses biometric authentication? When I first create my online account my biometric profile such as a facial scan is digitized and stored online as a series of 1's and 0's, and then when I return tomorrow to log in my face is scanned again and compared with that biometric profile. What happens when--not if, but when--that biometric profile is stolen? An attacker could then use it to log in to every single account that I have. And how could I ever correct that? I only have one face and I can't grow a new one (as much as I would like to!). Am I then prevented from using facial biometric systems for the rest of my life?

 

As an aside, here is where passwords are better than biometrics (strange, but true). If I have a unique password for each site (which I do) and the password for that site is stolen and cracked by an attacker, the worst that can happen is the attacker can only log in to that one site; none of my other sites are at risk because they all have unique passwords. So, unlike the theft of my biometric profile that would open the door to all my accounts, a stolen password only opens one account. Also, I can change the password that has been stolen. That's something that I cannot do with biometrics.

 

I completely agree with you that passwords do not provide good security. But at this time, I don't see that biometrics are the secure answer. Many security researchers advocate that today biometrics should only be used in multifactor authentication systems and not as a single-factor authentication system, and that biometrics should not be used for the most sensitive authentication apps, such as mobile payments.

 

Maybe biometrics will give good security in the future. But until then, I think that a good password manager is the best tool to use.

 

Just my thoughts. Thanks.

 

Mark

Frequent Commenter

I fight the power and change my password ten times to go back to my original password. I change it yearly or so and can remember easily what it is that way. I feel it is very strong and would be hard for someone to guess, but changing it every ninety days is not fun in my opinion. Maybe I should try a password manager. 

Scholar

Melinda:

 

Well, changing your passwords ten times in a row to get back to your original password is one way to get around it!

 

Something that I have learned in working with students is that most users misunderstand how passwords are cracked. Attackers have a well-defined process using technology they go through to crack our passwords (they don't do random guessing, which is what most of my students think).  That technology attackers use has made password cracking very easy for them.

 

In class I take a password that is 15 characters in length of words and letters, and break it in (wait for it!) just 3 seconds!

 

That also helps drive home the point that long passwords are more secure than shorter, complex passwords. I tell students that if I can break your 15-character password in just 3 seconds, then a strong password today should be at least double that length, or 30+ characters long.

 

"But I can't memorize a password like that!" my students respond.

 

I remind them that if you can memorize a password then it is a weak password!

 

And that leads into the demonstration of how to use a password manager. Just recently I created a password that's stored in my password manager that looks something like this:

 

xݼÑ7ÆkoêwàÛýÔîâ·}3Ød&=á#/¢É@º*É`{aëÍå¾Ò¨`Çá,È%cí¢9ðõæx#

 

Of course, I can't memorize that password, but with a password manager I don't have to. I get to have unique, long, and complex passwords for all of my 250+ different accounts using a password manager.

 

I'm glad you're considering a password manager; it's the safest way to go. I can give you some suggestions on password managers if you're interested.

 

Mark

Commenter

It is hard to remember so many passwords. Each website requires a password. The thing about password managers is that it is specific to your device and sometimes the browser. This is very annoying. I understand the security risk but it is equally risky when the password is changed frequently because it hard to tell if you locked yourself out of your account or if someone else locked you out.

I share your frustration with passwords (I'll guess that everyone does) so what I do is I install the extension (I use 1Password) into every browser on my device. I also have the 1Password app in case I'm on a browser that doesn't have my 1Password account I use the mobile app. Frustrating still, but  what can you do...that's the world we live in I guess.

Commenter

My biggest issue with MFA is remembering to take my cell phone with me to class.  I understand why we have switched to it, but it doesn't make it any less annoying.  I guess it's a necessary evil. 

Contributor

We have switched from 180 days to 1 year expiration after adding in 2FA. Who knows, they may extend to 2 years if this continues to be a success.

 

I love the idea of password managers but can't get comfortable with it - guess I don't trust them to be any more secure than other "secure" places that still somehow get hacked....

@tom_mcgrath 1 year with 2FA sounds like a good plan. Regarding password managers: I've been using one for several years now. It hasn't eliminated password frustrations entirely, but what I like most is that when it allows me to go from one site to another and quickly login without having to even think about what my password on the other sites might be. It's a time saver and the passwords that it generates sure look secure to me. Here's one I just had 1Password generate just for the heck of it: TCL9NRrbNmb9. Seems pretty "unguessable". It'll generate passwords up to 64 characters long. I just tried that and here's what I got: vdoZAwTcTL7KNA462ygjrb7QomZxykhzjKxnRbiH64iDPN8y2YVeoPAedb42RdBd.

Frequent Commenter

We have so many different accounts now and have to remember soooo many different passwords that it becomes very frustrating!  I don't know the solution but hope one comes around soon (but not biometric).