July 19, 2020 | By Adam Arutz, Trustnet CISO and Head of the GRC Division
A Notion Behind the Password Age
In the industry, there has been a lot of wiggle-waggle around the necessity of short password age (or password rotation periods). Multiple studies have emphasized that a short password age is not needed and is possibly less secure. With advanced authentication techniques, more advanced password creation tools, and user training/awareness, short password ages can become obsolete.
Organizations should tend to implement advanced authentication and password creation techniques. Until they lay emphasis on those advanced mechanisms, allowing 90 days and more of password age tend to expose them to higher risk levels. For time being, they can do a tradeoff for long password age with long password length, which does mitigate some of the related risks.
Password expiration is principally a compensating control which is not optimal and has its issues:
- It is primarily frustrating to users and makes them write their passwords in unsafe places
- Users generally tend to forget their new passwords
- Users get habitual to do minor changes to their passwords while reusing most of the characters (for instance – change the last digit)
- Studies reflect that this tactic causes passwords to become less secure, than modern authentication methods especially on long terms
Potential solutions to the identified issues:
- An optimal solution should be the global use of MFA, for everything, on & off premise
- A defined process mandating periodic testing of the passwords database against known compromised hash databases (e.g. haveibeenpwned)
- Usage of password creation tools, which lets the user know of the password strength and directs a user to create a password with a higher score
With that being said, password expiration is still one of the security controls which is needed but on a significate lesser frequency.
Associated Risks and Mitigation
Now, let us also look at the other side of the coin – to understand some of the major risks and how password expiration can help to mitigate them:
- Password length – one of the major tradeoffs is the password length-expiration time ratio. Essentially, the shorter the password is, the less time it will take an average attacker to brute force it. If an organization is letting use of short passwords, it is recommended that the rotation time between passwords be also short, otherwise, an attacker will have sufficient time to guess the credentials.
Here is a sample matrix for illustration:
Thus, to raise our password age, we will need to move on to at least 12+ characters passwords.
- Compromised passwords rotation
As we see commonly, users tend to use their corporate accounts and active directory (AD) password to register to external services (for instance Facebook). These external services do often get breached – for example, last month, EasyJet customer’s database was breached with over 9 million customer records exposed. Occasionally, such credentials, in general, find their way to the darknet.
Lack of password rotations tends to persuade adversaries to use these credentials for malicious and unauthorized purposes. There’s a high possibility that the exposed user credentials are the same as the active AD credentials. The shorter rotation period help reduce the risk.
- Regulatory compliance
While certain regulations across the globe, strictly define 60-90 days of password rotation including compliance standards such as PCI-DSS, certain standards require it as a guideline. Most of the client’s contractual security requirements require a short password age.
Following are some of the best practices for password age, as per CIS benchmark:
*Please note: this recommendation may change if organizations use advanced authentication methods.
- Compromised accounts
In case, a user account has been compromised or gets their credentials stolen, an attacker can potentially use it until the passwords expire. Shorter password rotation time precisely reduces the risk and only gives the privilege of a much shorter window for an attacker to use the account.
To conclude, password age policy is a practice of the past, and more advanced methods can be used to mitigate some of the risks. With that being said, until organizations adopt the advanced methods and use them on a global scale, the password age is here to stay. This will mitigate a lot of current risks organizations are facing today as per the current threat landscape.