Does it Make Sense to Keep Changing Your Passwords?

Wednesday, October 31, 2012

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

Here's the question then - why do we have to change our passwords every 30 days, or whatever you are forced into?  I think while this was a good idea a while back in technology, if I'm right it may not be completely necessary.

Some of you reading this are ready to start getting very angry ... but read on.

I'm running a small experiment on myself in which I've set up an account on a very public, very high-traffic web-based system out there that has a ton of my personal information.  I've not changed my password in almost 6 months now, but I still feel relatively good... and still certain that I am the only one who has access to my stuff.

Now, let me be clear, I'm absolutely not advocating that you stop changing passwords universally ... hopefully your pulse rate is down a bit now ... but read on for what I believe it some sanity.

Password change as countermeasure

I think that password changes came about and reached their peak as recently as a few years ago for one major reason.  Changing your password regularly became a countermeasure.

Since we weren't really sure whether the key to your office was copied or not, we were forced to change the locks regularly to make sure that we cut down on how long someone could have access on that copied key.  This is essentially the model we've been following for years... because we didn't have many other alternatives, or assurances. If your password was forced to change every 30 days the longest someone could impersonate you was 30 days or so.

This model is silly, and it not only inconveniences the user but doesn't really work well.  When people are forced to change the 100+ passwords they're expected to memorize they go to what works, writing it down.  Sure they should be using password storage programs like KeePass or 1Password or LastPass, but most aren't technically savvy enough to - or simply don't know to.

A wealth of supplementary options

Here we are in 2012 with many more options than we started out.  For example...

  • password change notifications to multiple email addresses
  • login notifications sent as SMS, email, etc
  • one-time passwords sent to a mobile phone
  • account lockout on suspicion of password guessing
  • profiling of users login behaviors (geo-locate, machine profile, behaviors, etc)

So the system I use, which I haven't changed the password on in ages by IT standards, has all of these features and when I log in (or try to) twice in a row from very different geo-locations it pops up a secondary authentication mechanism... Is this perfect and will it keep me 100% safe?  Of course not, I'm not delusional.  But I bet it's good enough... we'll see when I reach 1 year.

Good enough?

What would we consider good enough password security then, if password changes aren't to be included in that list of must-do?  How about this, for a reasonably good system:

  • good password (pass-phrase?) on initial setup
  • primary and secondary email addresses on setup for notifications
  • mobile number on setup for notifications
  • secondary question/answer - good ones, not those stock ones everyone can guess by Googling you
  • log all account login activity
  • build a user profile with machine-specific information, habits, and geo-location
  • [if account is sensitive] secondary mechanism for OTP (one-time password) to compliment static password such as over mobile SMS to a pre-determined number
  • (on login) - notification of "when you last logged in, from where, etc"
  • monitoring and immediate notification of account-related compromise (critical, should be immediate)
  • password change, account changes of critical information require secondary steps beyond password

I think this is plenty good right here ... and I'd be willing to bet that even if you never changed your password you'd still have a more secure account access than if you changed it weekly.

All comes down to the system/site

Unfortunately, websites and system operators get lazy.  They'd rather force the user into the pain of changing their password regularly rather than doing the above steps to maintain good account security.

Of course, many of the login/password disclosures from hacks lately demonstrate just how useless keeping complex passwords is in today's climate.  You can have a password that is super-secret, changes daily and if the application is poorly written none of that matters.  Also, on the other side of that coin, if your password is snatched and you still need a secondary access token (OTP to your cell phone?) that doesn't do the attacker any good either... so it's all a matter of understanding the risk, and I believe the risk today is greater due to other outside factors.

Monitoring, monitoring

In the end, if I was maintaining a system where lots of users logged in like FaceBook I would allow them to have passwords for ever as long as there were good compensating controls which have been available for years now! Also, a site that doesn't monitor the users - not what they do specifically, but how they access the system - doesn't even understand how to protect them. 

As the number of mobile devices continues to become explosive and the cell phone becomes entirely ubiquitous - a simple SMS to add as a secondary security method to your password should be trivial, but it adds a tremendous value to the overall risk profile.

Sure, there are going to be cases where someone has their cell phone compromised, and their password swiped as well - but in cases like that changing your password often won't help you anyway so why try to solve such a huge problem with inadequate solutions?

In the end...

Anyway - I think in the end passwords will ultimately become irrelevant as systems continue to get compromised, you have to try and remember more and more passwords, and the difficulty of making strong passwords with their ever-increasing complexity and application/site-specific rules.  Why not get ahead of that curve now, and just build a robust login mechanism rather than trying to force the user to shoulder the burden?

I welcome your thoughts ... even it's to tell me I'm  crazy - leave a comment here (and your Twitter handle!) or send me an @ on Twitter - @Wh1t3Rabbit.

Let's talk about it ... then fix it.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
12617
Network Access Control
Information Security
Passwords Authentication Security Awareness Access Control
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.