First, Olzak notes in his introductory paragraph that
Even the use of strong passwords is often regarded as either less secure—because users inevitably write them down—or a hindrance to productivity.
I’ll agree that using strong passwords takes a bit more time, but the greater hindrance is experienced by the attacker. Also, just because something is easy doesn’t mean it’s the right thing to do. If doing the right thing takes more effort than doing the easy thing, does that mean that you are not as productive? No!
Furthermore, the problem is not that strong passwords are used, but rather what users do with them: write them down and leave them under keyboards, on walls, etc. The strong password is NOT the problem, what the user does with the password is.
I’m sure Olzak and others would say that the strong password IS the problem, and the reason they wrote it down is because it’s complex and hard to remember. However, if users treat written-down passwords like they do cash and credit cards, those passwords would remain secure. If passwords are not secured, it’s because users don’t value them.
If businesses tied use and protection of strong passwords (and security in general) to a person’s performance review (there’s the cash again), behaviors would change for the better quite quickly. However, users follow management, and most management really doesn’t care about security, as management’s own security practices are remiss.
The SANS article also noted that
There are four basic ways for a bad guy to get your password:
(a) Ask for it. So-called “Phishing” and “Social Engineering” attacks still work, and always will
(b) Try dictionary words at the login prompt in the hope to get lucky (“Brute Force”)
(c) Obtain the encrypted/hashed password somehow, and crack it
(d) Leech the password off your computer with keylogger malware
Wesemann goes on to say that changing passwords every 90 days doesn’t make these situations less likely, and attackers will soon search for a simpler victim.
Second, I disagree that attackers will quickly look for an easier target after a couple days. Attacks are becoming more and more targeted, so attackers are more interested in passwords of specific accounts, not just the first password they can crack–hence the reason for the attack in the first place.
Third, if proper complexity is used, passwords CAN stand their ground until the 90 days are up. The problem is that most users don’t use long enough and/or complex enough passwords. I do recognize that with constant technology advances, this is becoming a losing battle. However, until management provides the funds to add an additional factor to authentication, most systems will continue to rely only on passwords.
Fourth, in my experience, the two most prevalent ways for someone to get a password in the workplace are:
- Shoulder surfing
- Password sharing with a co-worker, who shares it with someone else
These problems are addressed by 30, 60, and 90-day password cycles, so forcing regular password changes are necessary.
The SANS article mentioned another benefit of regular password changes:
If someone has your password, and all they want is to read your email and remain undetected, they can do so forever, unless you eventually change your sign-in secret. Thus, regularly changing the password doesn’t help much against someone breaking in and making it off with your goods, but it DOES give you a chance to shake off any stalkers or snoopers you might have accessing your account.
However, Wesemann still doubts whether forcing password changes every 90 days is worth the trouble.
My conclusion is different. People simply need to face that the fact that the world changed a long time ago, attackers are after them (really), and most of them have been too lucky too long (or they have already been compromised and don’t know it). Unfortunately, until management leads the way, the security posture of most companies and users will change slowly.
Finally, everyone should remember that auditors only audit practices that management put in place. If you don’t like 30-, 60-, or 90-day passwords, it’s time to go talk to management.
Read the SANS article.
I should note that Olzak’s main point was providing a way to create two-factor passphrases, not criticize the password change cycle. He rightly notes that the complexity of the method he wrote about would put it beyond the practice of most users, but it is an interesting approach. Read about it here.
As always, I’d be interested in whether you agree, disagree, or have another take on this.