The background to me writing this blog post is based on a few infographics that I saw posted on LinkedIn recently. I didn’t link directly to the posts since I wanted to avoid the potential pile-on (perhaps that's another blog post another time).
Ummm someone want to tell them? pic.twitter.com/7Q8FjOjeBl
— Sean Wright (@SeanWrightSec) August 1, 2022
Now granted, as someone pointed out this was an old infographic from some years ago: https://twitter.com/RiskyRichardH/status/1554377415576666112
The problem was that this was just recently posted on LinkedIn, so to those who didn’t know any better, this advice was still valid and relevant.
Then there was another infographic that I came across, again on LinkedIn, on the very same day (providing similar advice):
Please make it stop!!! 🤦♂️ pic.twitter.com/enASGZoGgJ
— Sean Wright (@SeanWrightSec) August 1, 2022
Now that’s not to say that all of the advice in these two infographics were bad or outdated. Some of the advice was very much on point. But one was the one that grabbed my attention. The infamous “you must periodically change your password”. For an understanding why this is not great advice, we need to reflect a bit on the history of where an how passwords were used.
History of Passwords
In the origins of the Internet, many didn’t have direct access to it. Certainly nowhere near to the extent that we have today. Often we used shared devices. And not to mention the joys of dial-up Internet! Either this would have been a shared computer in your family home, or perhaps a shared computer in a library, university or Internet cafe. The shared home computer perhaps carried relatively little risk, but the others did carry some potential risk. Who knows what sort of things were lurking about on these devices. So in order to limit our exposure should something like a key logger be installed on one of these devices, periodically resetting your password kind of made sense (I will get onto this in a bit). The idea was that, should your password become compromised, then the time period that the attacker would have access to your password would be limited to the life of the password. Also we didn’t have the regulations and visibility into breaches back then (heck most orgs wouldn’t have know if they got breached). Also many didn’t follow many of the best practices around handling and storing passwords that they do today. Heck, back in 2007 the likes of Facebook still used HTTP! So with this in mind limiting the exposure of those passwords to a period in time, kind of made sense.
Why Periodic Password Resets Don’t Work
But here’s the thing. If you reflect back and consider how much that would have really helped, you come to the realisation that probably not much. Firstly, how did the password become compromised in the first place? What stopped any subsequent passwords becoming compromised. Was that key logger on the PC in the library even detected, never mind removed? How about those passwords stored in plaintext in the company’s database? What if they compromised your password soon after you changed it?
Here’s perhaps the biggest crux of them all, a password reset typically means a 1 character change! P@ssword123 simply became Password1234. How do I know this? Well… because this is EXACTLY the thing that I did. You would always tell how long I worked at an organisation, the longer my password, the longer that I worked there! So coming back to the original justifications around changing your password on a periodic basis. How will this help? An attacker is not going to be thwarted by a simple 1 character change, especially when they take human nature into account (for example a sequence of numbers, it really isn’t rocket science to figure out what would likely be next). Heck we’ve even seen the likes of winter2007, summer2007, spring2010, etc.
There have been several studies that back this up:
- https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2016/03/time-rethink-mandatory-password-changes
- https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
- https://discovery.ucl.ac.uk/id/eprint/20247/2/CACM FINAL.pdf
In fact even government agencies such as NIST and NCSC now provide the guidance to no longer force periodic password resets. These are some pretty powerful voices behind the change in advice around forced password resets (not to mention big names in the industry such as Microsoft)!
Another important thing to note is that back in the day we likely only had a handful of accounts. Periodically changing the password on each would have likely only taken a few minutes. Fast forward to today, and it's a different story (it would likely take me hours!).
The guidance is now to only change or rest your password if there is any suspicion to believe that your password has been compromised. And the emphasis on the word suspicion. You shouldn’t wait for confirmation, you should go ahead an immediately change your password. But only when there’s reason to believe that your password may have become compromised (a case of rather being safe than sorry).
Other Outdated Advice
Some other advice that I’d like to call out is the advice against writing down passwords. You most certainly don't want to write down your password on anything that is not kept away from public eyes. So things such as whiteboards, or post-it notes stuck to a monitor are a really bad idea. Things such as physical password book are perfectly acceptable though, so long as it is securely stored away from others.
Another piece of advice that is becoming more and more outdated is around password complexity. While it may may technically help to make passwords more secure, the reality is that it doesn’t. If only computers were involved, this would certainly be the case (but you could then argue it becomes a token as opposed to a password). Humans generally don’t deal well with complex passwords. Heck, I’ve even literally chosen a weaker password because of the more “secure” password complexity requirements! I blogged about this some time ago, but others such as NIST and NCSC also have a few things to say on the matter. Have you ever tried to enter a 64 character complex password using a TV remote (I can assure you, it’s not fun at all).
Conclusion
There’s a reason why people reuse passwords, as well as choosing weak password. And that word you looking for is convenience. Users generally don’t want to be burdened with additional overhead. And if they are, they will find the shortest and least painful route possible (think summer2022, autum2022). A lot of the older advice that we gave around passwords made sense at the time. But times have moved on since, and things certainly have changed since. As a result the advice that we give to ordinary users has to adapt as well, and more importantly put a balance into place between protecting the user as well as making things bearable for them to use. Otherwise you will likely find that you face the exact opposite of what you are trying to accomplish.
My advice for passwords? Use a password manager, it's as simple as that. Also use MFA where possible. Use those 2 and you put yourself in a great position in terms of password hygiene.
And finally this is an infographic that I can stand behind! Use the advice in it to help shape your own password practices, as well as hopefully helping your organisation move with the times.
