Blog post

Spending our users' security budgets wisely

Created:  13 Oct 2016
Updated:  13 Oct 2016
Author:  Emma W
Passwords on computer

We're all busy people. Business demands are constant, and information overload is a daily challenge. Most of us don't come to work to 'do security' - it's a supporting function. It's something we have to get through in order to get to our main task.

And this is fine. Most of us aren't hired to do security - we're hired to do jobs that help meet our employer's business goals.

But due to these competing demands and priorities, we have limited mental effort to spend on security. This is sometimes called The Compliance Budget and like any budget, once spent it's gone - we can't use it again elsewhere. As security professionals we should be mindful of this budget, avoid squandering it in places where it doesn’t buy real value, and not expect user effort to be able to compensate for other gaps in our defences.

Pouring user effort into managing and memorising difficult passwords is a common use of the compliance budget, and it's (mostly) a huge waste of this precious resource. Users generally find such policies impossible to comply with; they provide no particular defence against many common password attacks, and there is a real limit on how much protection user passwords can give to a system. Because most times, if your user passwords can be directly attacked, then you've got bigger problems.

For instance, if an attacker is able to get hold of your password hash file and run offline brute force attacks against it…you’ve got bigger problems.

If an attacker is able to attempt thousands of logins without prevention or detection, because you have no account lockout/throttling or monitoring in place...you've got bigger problems.

If an attacker compromises a user account, gains a foothold in the system and installs back-doors that give sustained and undetected access even after the password is changed…you’ve got bigger problems.

User passwords are only one of many ways in which we defend our systems. They can’t compensate for all vulnerabilities elsewhere, so we shouldn't rely on them further than is justified. Research shows that there is no correlation between the best-defended systems and those with the most demanding password policies. If anything, the opposite is true.

The same applies with password expiry. There are very few imaginable scenarios where regular password expiry would provide any real security protection, and regular password-changing makes no difference to the success of most attacks. But it does impose a heavy burden on users, causing corresponding harm to the organisation's overall security. Because of the innate attraction of the idea that a newer password must be a better password, and because we have been slow to realise the huge costs imposed by password expiry policies, we have hung on to them long past the time when we should have - well, expired them.

Organisations should stop regularly expiring user passwords for the sake of it and focus instead on more meaningful, effective protective measures. This includes minimising password use and ensuring that where they do remain necessary, they are used sensibly.

4 comments

Bob Simpson - 11 Nov 2016
This is top stuff - really glad to see the NCSC publishing advice of this nature. Will be using it in our organisation!

Thank you.

Bob S
Helen A - 20 Feb 2017
This blog reminds of one of my favourite modules for my MSc, people and security. I think the point that security is a supporting function is crucial as most people who circumvent security don't do it to be malicious but simply to get their work done. Understanding business processes and mapping security on to them while making it clear to the users what you are trying to achieve can help, as can providing people with an accessible route to challenge security practices that are interfering with their work. Fundamentally good communication (both ways) and really trying to understand the users point of view is what is needed.
Alexis foko - 05 Apr 2018
I'm happy
NCSC Communications Team - 26 Sep 2018
This blog is now closed to comments.

Was this blog post helpful?

We need your feedback to improve this content.

Yes No