Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Does Mandatory Password Expiration Help or Hurt Password Security?

October 6, 2022

On October 4, Help Net Security had a very interesting post which is at the heart of many cybersecurity arguments these days. Does mandatory password expiration help or hurt your password security?

First, it is interesting to note that both NIST and Microsoft have abandoned the notion that passwords need to be changed on a regular basis. You can find Microsoft’s password policy recommendations for Microsoft 365 software here.

Microsoft cites two main reasons why you should avoid scheduled password expirations. As it says, fast-acting criminals won’t be deterred by your 90-day change policy.

That’s because scheduled password changes do little to prevent an attacker from gaining access to a victim’s network because threat actors almost always make immediate use of compromised passwords.

By way of explanation, password theft is like credit card theft. When a criminal steals a credit card number, they know that they have a very limited amount of time before the card is reported to be stolen and is deactivated. So they typically use a stolen card immediately.

Password theft works the same way – threat actors want to exploit stolen credentials before compromised accounts are deactivated or passwords are changed.

The second reason Microsoft cites for avoiding scheduled password policy expirations is that end users are tired of the needless changes of good passwords.

Also, when users are forced to periodically change their passwords, they are much more inclined to use passwords that are both insecure and predictable.

Here’s evidence from a 2009 study by the University of North Carolina at Chapel Hill. Since most networks are configured to lock accounts after a small number of incorrect password guesses, researchers wanted to determine if it was possible to create an algorithm that could correctly guess passwords in five or fewer guesses, using one of a user’s previous passwords as a starting point.

Interesting, yes?

The study found that when users are forced to periodically change their passwords, they often resort to using transformations rather than using an entirely new password. These transformations might involve replacing a character with a symbol (for example, using a dollar sign instead of the letter S) or incrementing a number to the end of the password.

We see this ALL the time.

By examining thousands of password histories, researchers were able to determine the types of transformations that users most often resorted to using. They then used this information to create an algorithm that has a high probability of being able to guess a user’s current password based on a previous password in five guesses or less.

From Microsoft’s perspective, it is far better for a user to create a strong but unchanging password than to simply create a password that barely adheres to the organization’s minimal password requirements and then make small changes to that password each time that the organization requires the password to be changed.

Although NIST and Microsoft don’t recommend mandatory scheduled password changes, not everyone is convinced. The payment card industry for example, requires any organization that accepts credit card payments to comply with PCI DSS standards.

PCI DSS 4.0, which goes into effect when PCI DSS version 3.2.1 is retired in 2024, still requires scheduled password changes. The 4.0 version of the PCI DSS standards require organizations to use passwords that are at least 12 characters in length (with some exceptions) and that passwords be changed every 90 days.

The fact that Microsoft and NIST recommend against mandatory password expirations while other industry standards such as PCI still require them clearly indicates that there is no clear-cut answer to whether forced password changes are a good thing. But what if there were an in between option?

Remember as you continue to read, that the information below comes from a vendor. With that warning, it is very interesting reading.

Specops Password Policy supports length-based password aging, which may be the happy medium that organizations are looking for. The basic idea behind this feature is that an organization can make it so that users who create strong passwords are rewarded with less frequent password changes.

On the surface, it might initially seem as though length-based password aging does not entirely solve the problem. After all, even a user who creates a super strong password is still going to be required to change that password at some point and will presumably resort to using password transformations rather than creating an entirely new password. However, length-based password aging can be used in conjunction with the Specops’ dynamic feedback feature, which collectively solves the password transformation problem.

Specops dynamic password feedback feature guides the user through the password reset process, showing them exactly what is required in order to satisfy the organization’s password requirements. This gives the organization an opportunity to create a policy that prevents the use of common password transformations.

If for example, a user’s original password was MyP@$$w0rd1, then then a password policy could prevent the user from changing the password to something like MyP@$$w0rd123, MyP@$$w0rd2, or MyPa$$word1. Because the policy blocks the user from using common transformation patterns, the user is forced to adopt a completely new, and secure password.

Additionally, the dynamic feedback feature guides the user through this entire process and shows the user exactly what is required thereby helping to eliminate ambiguity and its resulting user frustration.

The goal here is to combine a strong password policy with an end-user reward system, keeping your stronger password for longer, and adding in a deterrent of minimal password change all without additional onus on the IT team. After all, if password feedback exists at password change you can cut down on all those helpdesk calls asking for help.

You can test out Specops Password Policy in your Active Directory for free, anytime.

No harm in trying them out. But my major takeaway from this post is that mandatory password expiration is harmful to security – and that’s why NIST and Microsoft abandoned it.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson