In cyber security as much as anywhere else, it's important to use the right tools for the job at hand. However, sometimes we can get a bit too attached to particular tools, and try to use them to solve problems they aren't actually best placed to tackle. To someone with a hammer, everything looks like a nail. And then, when you look closely at the tool itself, it turns out it's pretty old and broken and will shatter at the slightest impact.
In just this manner, some people remain firmly wedded to the idea of regularly expiring user passwords, despite compelling evidence telling us that the cost of such policies vastly outweighs any security benefit.
I actually don't find this inertia too surprising, given that we're talking about such a long-established security trope with inherent seductive appeal. A fresher password is always a better password, surely? And yes, change is hard. Inertia is strong, and the impulse to stay with the herd (even if the herd is running in the wrong direction) is likewise powerful. But I do find the defences of password expiry that I've lately heard to be a little off the mark. Defences such as:
'Password expiry is an effective way of mitigating the risk when passwords have been deliberately (if illicitly) shared between users.'
'Password expiry can be used to make sure people don't forget that passwords do still need to be changed sometimes, just because they're no longer forced to do it regularly.'
These scenarios certainly happen, and password expiry could be one way of seeking to manage some of the risks. However, password expiry policies create vulnerabilities of their own. Passwords do sometimes need to be changed (most importantly, on indication or suspicion of compromise). It's vital to work with users to ensure they know when and how to change their passwords (and that they actually do this). But we believe that if regular password expiry really looks like a good idea, that's a sign that your organisation has bigger problems and needs to look for correspondingly bigger solutions:
- If your users are deliberately sharing passwords despite being told not to, maybe they don't have workable official ways of securely sharing information? You can fix that by providing modern information-management tools that will boost your business productivity (and strengthen your security) far more than expiring passwords ever can.
- If your users aren't changing their passwords after sharing them with others, maybe they don't understand their important role in helping your organisation to secure its information, manage and audit access? If that's the case, forcing them to change their passwords won't help them to improve their overall approach to managing your organisation's information risk.
- If you think you need to keep expiring passwords regularly so that people won't forget how to change them when they do need to, that implies that your organisation's password change process is clunky and unintuitive. Any password change process that users can't instantly navigate with no training or background, is too clunky. In this case, we believe it is better to un-clunk the process rather than spend everyone's valuable time and energy trying to train them to clunk it better.
If someone makes the assumption that a password that isn't forced to be changed is never going to have to be changed, and hard-codes a password into a tool or process, then either:
- they genuinely think that's a good idea
- it's the only way they can make things work
Either way, that's an issue that needs to be dealt with in its own right. Technical solutions are coming forward that can help with this. Most hard-coded passwords come from setting up service accounts (web server accounts, default admin accounts on servers etc). For example:
- Microsoft's Managed Service Accounts ensures passwords are unique and centrally managed
- Just Enough Admin limits the privileges of administrative accounts
- LAPS helps to deal with local administrator accounts being the same on all domain-joined clients
In all of these cases, password expiry might initially look like a quick and easy way of helping to manage the risks. However, it rarely delivers the headline benefits it promises, and mostly just creates fresh vulnerabilities instead. It pushes people towards using weaker passwords, writing them down, re-using them across different systems and changing them only in tiny ways (eg adding 1 to the number on the end every time). Attackers can and do exploit all these dodges. It disrupts our workflow, reduces our productivity and increases helpdesk costs.
Password expiry is a blunt instrument that casts a long shadow over organisational security. We should call time on this outdated and ineffective practice.