Blog post

Your password expiry policy may have reached its expiry date

Created:  21 Dec 2016
Updated:  21 Dec 2016
Author:  Emma W
Parking Meter

In cyber security as much as anywhere else, it's important to use the right tools for the job at hand. However, sometimes we can get a bit too attached to particular tools, and try to use them to solve problems they aren't actually best placed to tackle. To someone with a hammer, everything looks like a nail. And then, when you look closely at the tool itself, it turns out it's pretty old and broken and will shatter at the slightest impact. 

In just this manner, some people remain firmly wedded to the idea of regularly expiring user passwords, despite compelling evidence telling us that the cost of such policies vastly outweighs any security benefit.

I actually don't find this inertia too surprising, given that we're talking about such a long-established security trope with inherent seductive appeal. A fresher password is always a better password, surely? And yes, change is hard. Inertia is strong, and the impulse to stay with the herd (even if the herd is running in the wrong direction) is likewise powerful. But I do find the defences of password expiry that I've lately heard to be a little off the mark. Defences such as:

'Password expiry is an effective way of mitigating the risk when passwords have been deliberately (if illicitly) shared between users.'

or

'Password expiry can be used to make sure people don't forget that passwords do still need to be changed sometimes, just because they're no longer forced to do it regularly.'

These scenarios certainly happen, and password expiry could be one way of seeking to manage some of the risks. However, password expiry policies create vulnerabilities of their own. Passwords do sometimes need to be changed (most importantly, on indication or suspicion of compromise). It's vital to work with users to ensure they know when and how to change their passwords (and that they actually do this). But we believe that if regular password expiry really looks like a good idea, that's a sign that your organisation has bigger problems and needs to look for correspondingly bigger solutions:

  • If your users are deliberately sharing passwords despite being told not to, maybe they don't have workable official ways of securely sharing information? You can fix that by providing modern information-management tools that will boost your business productivity (and strengthen your security) far more than expiring passwords ever can.
  • If your users aren't changing their passwords after sharing them with others, maybe they don't understand their important role in helping your organisation to secure its information, manage and audit access? If that's the case, forcing them to change their passwords won't help them to improve their overall approach to managing your organisation's information risk.
  • If you think you need to keep expiring passwords regularly so that people won't forget how to change them when they do need to, that implies that your organisation's password change process is clunky and unintuitive. Any password change process that users can't instantly navigate with no training or background, is too clunky. In this case, we believe it is better to un-clunk the process rather than spend everyone's valuable time and energy trying to train them to clunk it better.

If someone makes the assumption that a password that isn't forced to be changed is never going to have to be changed, and hard-codes a password into a tool or process, then either:

  • they genuinely think that's a good idea

or

  • it's the only way they can make things work

Either way, that's an issue that needs to be dealt with in its own right. Technical solutions are coming forward that can help with this. Most hard-coded passwords come from setting up service accounts (web server accounts, default admin accounts on servers etc). For example:

In all of these cases, password expiry might initially look like a quick and easy way of helping to manage the risks. However, it rarely delivers the headline benefits it promises, and mostly just creates fresh vulnerabilities instead. It pushes people towards using weaker passwords, writing them down, re-using them across different systems and changing them only in tiny ways (eg adding 1 to the number on the end every time). Attackers can and do exploit all these dodges. It disrupts our workflow, reduces our productivity and increases helpdesk costs.

Password expiry is a blunt instrument that casts a long shadow over organisational security. We should call time on this outdated and ineffective practice.

13 comments

Nick Humphrey - 22 Dec 2016
Excellent article. This serves emphasise that risk management and an organisations cyber security strategy is NOT an purely an IT problem. Decisions as to threat and risk should be taken at board level and IT departments utilised to implement technical controls which are intended to mitigate risk to level acceptable to the board or SMT. All too often decisions are taken to implement controls based upon risk avoidance. Without a clear understanding of the level of threat and acceptable risk controls are often implemented which staff have to bypass just to 'get the job done'. Evidently not acceptable but who's at fault?
David - 23 Dec 2016
Great article. More like it please :)
David Booth - 23 Dec 2016
Dear Emma
Like other arguments against password expiration, it ignores reality. Users commonly duplicate passwords on different accounts, don't know when one of the duplicates has been compromised, forget messages from training courses, fail to understand the importance of security in relation to meeting their objectives and more. Until 2FA becomes more usable, expiration is inevitable.
Mark T - 03 Jan 2017
While the article is well articulated however it does also ignore reality. Some 99% of UK businesses employ less than 50 people. Most of these wont have an IT department. Some will have just one dedicated IT person and a lot will use hosted services or external IT resources. So while regularly changing passwords may not be ideal, it will common practice simply because those business do not have the time to spare to implement something more sophisticated, let alone read this article. This applies to the excellent advice created by the CESG at the end of 2015, something like "Simplifying your approach to password management". The advice is sound, but in general unlikely to be adopted directly by many organisations.
Mark T - 03 Jan 2017
part 2/2

In my role (educating accountancy professionals) we strongly encourage the use of 2FA. However as cloud service adoption continues it is up to the service providers to provide 2FA (Very few cloud services prompt for regular password changes).

Articles like this are useful ways to educate IT professionals who in turn can influence smaller businesses. However it needs to be viewed within a wider business reality. [Please make your comment box bigger!]
Mike Burns - 15 Jan 2017
For years I've been pushing a similar message and it is great to see the traction now breaking through. There is a place for expiration but it should not be so often as to be onerous. Expiration of short periods leads to reduced security and user frustration, too long and it leads to complacency. Alas not everyone has the option of 2fa. For those that don't, the security pro's need to start to understand how people actually think and behave, what you think is making things secure can often have the opposite effect.
Mark Thompson - 03 Feb 2017
Interesting piece but it is to be noted that the Cyber Essentials scheme requirements still talk of changing Administrative passwords at least every 60 days so the 'change passwords frequently' thinking is still deeply embedded within Government IA and the more general IA standards. Little wonder that SMEs are confused as to what they should be doing. Given that 96% of UK businesses employ 0-9 people (and 99% 0-250 employees) the vast majority are going to have no full-time IT function so the idea they can implement a reliable password management policy (esp. for the administratve level passwords) is probably unrealistic.
Simon - 21 Feb 2017
Agree with David Booth - I think the risk of users using the same password in multiple domains and security contexts has been missed here... especially given the current trend towards cloud and shadow IT where boundaries, governance and monitoring are blurred at best... I wouldn't want someone using the same password as their previously breached email provider on the corporate network - (i acknowledge changing pw isnt foolproof but it might help).
Duncan - 01 Mar 2017
What if expiry just promotes reusing passwords a user already knows and forcing a password change causes the user to reuse a password that's already been compromised elsewhere.

Regularly expiring passwords will not cause a user to start using unique passwords for your system if they're used to reusing them elsewhere. Personally I think it's been outdated since it was introduced by auditors with checkboxes to tick and has been repeatedly shown to weaken password security and cause users to write passwords on sticky notes and pin them to monitors.

Paul Furnival - 18 May 2017
Interesting article that certainly makes one think about password expiry policies.

The main flaw I can see in not implementing a password expiry policy is based on the statement "users must change passwords on indication or suspicion of compromise". But what happens if there is no indication or suspicion? Or if the average user does not recognize such indications? Or the account in question is a system account not used by any one person?

Under these circumstances, the user account can be compromised indefinitely. Especially if the perpetrator is being careful to hide his or her actions.

That appears to be a large risk that outweighs the risks of enforcing a renewal policy.
Pat Keane - 22 Jun 2017
Having worked in LG as a HIT/CIO for many years I understand what is being said about password renewal etc. What I think is missing is that if we explain properly why passwords are needed and how to manage them, stop calling our customers users and treat them as adults, we might be surprised at the outcome. As the article says, if people are trying to find ways of working around our processes, we need to change the processes and not the people.
Mike Burns - 20 Nov 2017
Lets just update the guidance and promote passwords as a use once fall back for when MFA fails.

The biggest issue with passwords (which the above will partially address) is the disparate password policies often within the same organisation/domain. As it is a safe assumption that most people now have a smartphone capable of using an open standards MFA app, lets start to promote that instead.
Gary Trembath - 18 Dec 2017
Regula expiration of passwords is a problem, users just give up and write them down on a Post-IT

but no password expiration at all, Come one guys you can be serious.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No