Time-based (expiry) password enforcement leads to poor password choices

If you work for an organisation where someone else has some influence over the security of your account, you may be subject to a policy of password expiry. Every 30, 60 or 90 days, you receive a prompt that advises you to change your password - if you ignore it, the prompts get increasingly more aggressive - until one day you log in and you're forced to enter a new password to continue.

Proactive account security is something I absolutely champion - but not like this.

What's wrong with forcing regular password expiry?

Passwords are a weak point of security, always have been - and until we rethink our approach to account security, probably always will be. But forced expiry has a similar effect on security as abstinence has on sex education. It looks like an idea that should be good, but it doesn't address the underlying issues.

The weak link in this chain is us; users. We're told that we have to have at least 8 characters, at least one of those must be upper case, at least one number and one special character. So as we force our users into scenarios of choosing obscure and hard-to-remember passwords, we add to that, the forced policy of having to come up with a new one every expiry cycle.

People are more likely to adopt poor password techniques

So they've got their password - they can't remember it, but it's ok because they can write it down. Nowhere obvious (of course), a blank page in the back of a notebook (no one will ever even realise that it's a password...right?).

What is arguably more likely is a couple of issues that make forced expiration a 'good idea-poorly executed'.

  1. People are more likely to replicate passwords (i.e. use the same password for lots of systems). I get it, we've all been guilty of it I'm sure - but using the same password weakens every system it's used on. If someone somehow gains access to that one password, it's going to make it a heck of a lot easier to gain access to the other systems it enables access to.

  2. People are more likely to repurpose passwords. You find a password that meets those all-important criteria set by your network administrator, but upon the first cycle of it expiring, you simply use the same password and pop a "1" on the end - the next cycle, a "2" and so on.
And that's the issue - it does nothing to discourage poor habits; in fact, one might argue that it encourages them!

It lacks the educational component that we need to get right (first). We should be helping our communities what a good, strong password looks like - help them understand why they should care.

Encouraging users to think of passphrases rather than passwords is a solid option - "Password12" is [hopefully] obvious why it's so poor, "Password13" isn't any better. JugTabletFreshner (compiled of three things that are in front of me right now - but otherwise have little to no business being words that you'd find together) is easier to remember than "6Z%2YneNzk" but offers significant benefits over weaker, lazy passwords.

Of course, you should combine this with multi-factor authentication to provide extra protection, but for now, it's time we took a good look at what we're asking users to do with their passwords.

Comments

Post a Comment

Popular posts from this blog

LarmTek 1080P USB webcam with privacy cover (HD264 Webcam USB)

Image
First impressions were mediocre to be honest, the webcam comes in an unassuming box without any kind of a fanfare. I stuck the privacy cover (not because I'm a privacy nut, but it was there so I figured "why not?") on easily (it comes with a peel and stick backing, so super-simple). I have the cover 'sat up' most of the time - but if you're one of these folks who sticks tape over their webcam, this is definitely an 'upgrade'.   Conspiracy Theory GIF from Conspiracy GIFs The lens has a wide-angle to it which gives a different perspective than I was used to from my normal daily-driver (Logitech C920) - and I didn't immediately warm to it, but after using the LarmTek Webcam as my regular camera for a few days, I've really come to like it. I have been using this webcam mainly for Microsoft Teams/Zoom and Google Meet - and feedback from folks on the 'other end' of the call is really positive, reporting a crisp clear image that's goo
Read more

Make an awesome profile picture from any photo

Image
A great profile picture is important. I have long-since preached the virtues of abandoning your selfie with the toilet in the background and having something that better represents you. I then came across this free profile picture maker that claims to let you "Create an awesome profile pic from any photo". I am a constant and fervent fan of Canva  for...pretty much everything - but every so often, there's something that pops up that might be worth having in your digital arsenal. I use this photo for most all of my profile pictures and I've always liked it. It is from the #Nerducator days, it was shot by a professional photographer and it suits me - so I use it mostly everywhere. So I was certainly curious to see what this tool could do with it. The tool claims to use an "AI background remover" to automatically remove any kind of background, provide dozens of design and you can tweak and edit the ideas to change them as you see fit. It only takes a few seco
Read more