After writing my last posting, that suggested using a formula to generate multiple unique remember-able passwords, I glanced at other password related articles that were likewise spawned by the security breach at Gawker Media. These, and many other articles, suggest changing passwords often.
But why? Exactly what is the potential danger of not changing a password regularly?
Suppose, for example, you are required to change a password every three months. Then, if someone steals the password and sits on it for 3.5 months, you're protected, it will have changed by the time the bad guy tries to use it.
If a bad guy steals your password and does nothing with it for a month, then maybe by the time they try to use it, it will have changed. Or, maybe not.
But, how likely is it that a bad guy will sit on stolen passwords for very long? Chances are that stolen passwords get used fairly quickly. If that's the case, then changing the password every three months is a fools errand.
Then too, a sloppy implementation of the password changing rule can make it a sham.
Back in December 2009 one of Steve Gibson's Security Now podcasts focused on The Rational Rejection of Security Advice. In it, Gibson told a story he overhead in his local coffee shop.
... there was this executive with his coworkers explaining to them the lengths he goes through to avoid the IT department's password policy. Passwords expire at his company after not apparently very long, and he finds it very annoying that he's being asked to change his password constantly. So ... he'll go through five other passwords in a row in order to get back to a sixth one because the system remembers the last five and won't let him use any that he's used recently...
Been there, done that. I too, worked in a large organization with password rules and I did the exact same thing. That is, I would change my password when required, then change it again and again and again until the buffer of old passwords was full of nothing but the new ones from today. Then, I'd change it again, back to one I could actually remember.
As Gibson says
... so what's the risk? The risk is that somewhere far in the past our password would have been captured, but it wouldn't have been used until now. So the not changing it often creates a window of opportunity. But if the password is captured and immediately used, which is probably more likely, then changing your password often provides you no benefit.
It's one thing if a password was especially vulnerable, either because it was a word in the dictionary or very short or just popular (think qwerty and 123456). But a password that is reasonably unguessable and long enough to resist brute force attacks, does not need to be changed on a set schedule.
An IT department may better serve a company by doing what the bad guys do and use password cracking software to try to decrypt the passwords under their control. If any poor passwords are discovered, they could educate the person that chose it about better passwords. If nothing else, just knowing that the IT department is watching should make people chose harder to crack (longer, more random) passwords.
That said, I think the far more important issue is to minimize the risk associated with any one password by never re-using it. That's where my previous formula suggestion comes in.
One argument for frequently changing passwords is that if a password is stolen, the bad guy can only use it for a limited time.
Perhaps. But wouldn't a smart bad guy use the trick described earlier and periodically change the password over and over and over before changing it a final time back to what it was originally. Would the victim notice? And, it's likely that much of the damage will be done the first time a bad guy uses a stolen password.
But what of especially high value systems? Do those passwords warrant special treatment? Perhaps, but anything of especially high value should not be protected by a single password anyway.
For example, if you do online banking and you have all your money in the world in accounts that can be accessed online, the problem is not with your password, it's with you.
To put this in a larger perspective, see So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (pdf) by Cormac Herley of Microsoft. This is the paper that triggered the Security Now podcast referred to earlier.
I found his analysis of the seven typical password rules (section 3) an interesting read. He concludes that "... even if a user strictly observes each of the rules indicated above they are by no means safe from exploits that involve password theft."
One point Herley makes is that keyloggers can steal any password. Of course, booting to Linux, as I suggested recently, is not a remedy that a Microsoft employee would offer up.
And when it comes to online banking, he fails to mention that businesses are goverened by very different rules than consumers, rules that put them at risk of financial loss. For more on this see krebsonsecurity.com/category/smallbizvictims. Those companies now wish they had booted to Linux for their online banking.