Frequent password changes are the enemy of security, FTC technologist says

Contrary to what you've been told, frequent changes can be counterproductive.

Read the whole story

 

[althaz]

lux113[/url]":bedfkfwg]My passwords effectively look like nothing but random letter number symbol sequences. No words at all. I think that's as safe as it gets.

It's not that difficult to remember a pattern like that when it's between 12 and 16 digits. And yes, I use the patterns for changing the password suggested in the article, otherwise there'd be no possibility of remembering them with our constant pass changes.

If you use a pattern to pick random characters...then they aren't random. They are probably also not hard to crack. You have to remember that a dictionary attack doesn't use the oxford dictionary, it uses a *password* dictionary. So you've picked a password system that's hard for humans to understand, but likely trivial for a computer to crack.

Relevant XKC

Disclaimer: Don't use "Correct Battery Horse Staple" as a password - but *DO* use something like it. Computers still can't crack five-six random words strung together and might not be able to in the next decade (provided you use good words of course - "staple" is a pretty good one).

 

[johnnylundy]

This article points out a problem most people must have thought about. I had a job once involving unrestricted access to tens of thousands of people's Protected Health Information. We all logged into a VPN. IT had of course set the password policy to the usual 1 number 1 uppercase 1 lowercase, and change every 60 days. We could use the same password if it wasn't one of the previous six passwords.

During training, we were told to use "Abcdefg1" as our password. All of us. {Not the actual letters given to us - it actually was a 7-letter English word with the suffix "1"}

I was there 5 years and used 7 different passwords, all of them "Abcdefg1"+ another digit added to the end. After reaching "Abcdefg7", I could use "Abcdefg1" again.

I still couldn't ever remember which password I was on, so I had a Post-it note with the last digit stuck on my desk.

I never asked, but I bet that almost everyone else did the same thing. And I bet every one of them thought IT must be the most incompetent people around. Because of their ludicrous password rules, and the actions it forced us to take, security for this PHI was terrible.

Even worse was a hospital system that changed your password FOR you every 3 months, to a random 7 letter combo, and it gave you about 4 seconds to copy it down off the screen. Every single person wrote it down on a Post-it note.

 

[KiwiPhred]

Classic example of why changing passwords is a p.i.t.a. - our work uses AD, we also have over one hundred iPad users. (I bet some of you in IT can see where this is going already...) User is required to change AD password so does, meanwhile iPad Mail is trying to connect to Exchange. Five wrong attempts and boom (sorry Steve) the AD account is now locked out. User rings IT for account unlock, boom, Mail does the same thing again. User ends up having to bring iPad to IT who then have to coordinate account unlock and password change. This is repeated every 30 days as that's the requirement foisted on us by the Executive Office who believe the security auditor that passwords must be changed regularly.

 

[berrardo]

"They take their old passwords, they change it in some small way, and they come up with a new password."

So, then, it's NOT frequent password changes that are the problem. It's the lack of training of personnel that is the problem, along with the software they're using that lets them get away with minor changes to the same old password.

Those new passwords should have to pass a minimum entropy test. They should be used along with password manager software that takes away the pain of using long, random passwords.

 

[xXxSqueakxXx]

Dilbert[/url]":2zum7gjw]

Abraham42[/url]":2zum7gjw]In my experience, asking employees to change their passwords frequently coupled with requiring complex passwords, leads to them be written down on post-it notes.

That's fine if the note is in their wallet. Not so much when it's under the keyboard, in the top desk drawer, or taped to the monitor.

But then the old post-it note with the old password ends up in the trash bin, so if it's a transformed password, it doesn't really matter where the new post-it note is stored.

 

[TheBlackPenny]

Work uses a password with forced reset every 30 days and you can't reuse the last 8. When it was introduced I bitched about it and was told, by the IT Manager, to pick a word and increment a number on the end.

 

[Dac]

berrardo[/url]":1o620xue] It's the lack of training of personnel that is the problem

Can't see the forest for the trees?

Fact: People HATE changing perfectly good passwords.
Fact: Organisations force people to change passwords TOO FREQUENTLY (more than once a year is too frequently, in my not so humble opinion).
Fact: No amount of 'training' will remove the pain of having to come up with a new password every 30 days, especially on multiple systems.

It isn't employees that's the problem, it's management practices that are outdated and proven to be detrimental. Sure, have Good Password creation rules drilled into people, but don't make them regularly go through the process of doing password creation, because that shit gets old -fast-.

Using a password manager to create/enter your Random Passwords is NOT POSSIBLE if your account is locked out because you forgot your 'random-like password'

Someone should recommend that IT Security areas regularly audit their organisation's password usage, and send infringement notices to staff who use stupid-easy passwords, and not bother those staff who are using passwords effectively. Gaining access to the password hashes is an exercise left for the IT Security people .

 

[rupucis]

Reeeaaaally clickbaity headline to be honest.
What the story shows is that company policies requiring frequent password changes are ineffective, not that frequent password changes in themselves are somehow a security liability.

 

[nagi]

Yeah, I've been saying this for years. If it's frequently changed, long, strong, and unique, I simply won't remember it. Unless I write it on a post-it note...

 

[MaxArt]

The only way to decently comply to frequently password changes is letting a service like LastPass or 1Password do the job for you. Any other option is going to end up in an organizational mess.

jni68[/url]":hgvhdx9i]I write all my passwords down in a book, if someone breaks into my house and finds a hidden book then passwords will be the least of my worries.

20 random character passwords ain't so bad.

First, typing 20 random characters with symbols every time would really bug me off.
Secondarily, I'd be *terrified* of losing that book.
In a fire, even, or in the mouth of my dog.

 

[Lucidry]

I'm not following this logic. Frequent password changes make them more susceptible to algorithms predicting their next changes. But those who do not frequently change the password... Would have the same password. This algorithm requires a password to go off of - how, then, is it 'easier' to Crack than one that hasn't changed at all?!

 

[FreeDemo]

The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy.

Uncovered from where? The transformations may work if you already knew the privious password before its change. If you didn't already know, there is no way you can get by using the transformations to crack it. Oh, yes, there are hack software to help. But that's another story.

This article is talking about employees within a corporation, FTC. Corporations have IT. When suspected targets are empolyees of a company, the police, the hackers never need to crack that employee's password to get his files they usually got the root from the IT. "Dude, hang it over, or your career is over." That means when the police have the root they have the master key to wherever they wanted to be. Am I right?

 

[libove]

I'm surprised that nobody has added the proviso that the advice to change passwords with some regularity is good IFF the users use a password vault program. (I happen to like LastPass, but there are several good ones).

We have so many passwords today that we need to be giving the advice to use a password vault program in any and every case; the requirement to change passwords from time to time is far from the principal problem, and the use of a vault program resolves both the change=forgot problem and many other problems with passwords (harder to phish as the vault programs are better at detecting close-but-no-cigar domain names, much less likely to cause lockout, can't be forgotten so reduces help desk calls, ...).

 

[georgeh2k]

What a super day! I don't have to use dental floss anymore, and I don't have to change passwords anymore. Now just get me out of exercising, eating right, and paying taxes.

 

[kleshas]

Surely the issue here is that PEOPLE aren't choosing a new password based on standard best practices, and NOT that changing passwords often is insecure.
Best practices being "use a tool like Keepass to create random passwords" and of course it's at least more secure to change passwords 'often'.

edit: I see at least a couple of others have made the same point.

 

[Fixpir]

Frequent password changes are the enemy of security, FTC technologist says

Users knew already.

 

[Oelph]

CESG in the UK published guidance last year advising against regular password rotation. All you end up doing is forcing users to substitute one weak password (usually the weakest the rules allow) with another weak password.

We are going to abolish password rotation but not before providing a tool which helps staff create a good password.

 

[Kazper]

Hap[/url]":1w9tiwp0]I have about 20 accounts at work, one account is the worst by far for me having to request resets.

- changes every thirty days
- can't use the last 12 previously used passwords
- no dictionary words
- no sequential number sequences
- no more than 2 of the same character in a row
- writing it down is a firing offense
- locks account on third incorrect attempt, requires a call to service desk to unlock
- minimum of 20 characters
- 1 Capital letter, 1 number, 1 special character minimum
- common keyboard patterns are blocked

Now I realize that a lot of these are good requirements, BUT because I have so many to remember, I can't create an easy to remember sequence, and I can't document it anywhere, and I use this account 2-3 times a week. I lock it all the time. It's impossible to remember as it's effectively random.

A1!b2"c3#d4¤e5%f6&g7/
A1!b2"c3#d4¤e5%f6&g7/1
A1!b2"c3#d4¤e5%f6&g7/2
A1!b2"c3#d4¤e5%f6&g7/3
A1!b2"c3#d4¤e5%f6&g7/4
A1!b2"c3#d4¤e5%f6&g7/5
A1!b2"c3#d4¤e5%f6&g7/6
A1!b2"c3#d4¤e5%f6&g7/7
A1!b2"c3#d4¤e5%f6&g7/8
A1!b2"c3#d4¤e5%f6&g7/9

Hopelessly insecure, but fulfills the criteria, I think. Otherwise adapt slightly. There is no password policy that cannot be subverted by users when you make it hard for them to do their work.

kleshas[/url]":1w9tiwp0]Surely the issue here is that PEOPLE aren't choosing a new password based on standard best practices, and NOT that changing passwords often is insecure.
Best practices being "use a tool like Keepass to create random passwords" and of course it's at least more secure to change passwords 'often'.

edit: I see at least a couple of others have made the same point.

And they are all being downvoted for the same reason. You try using Keepass to log into AD and other strange services at work. It will either not work, or be a firing offense. The problem is the system - not the people/users.

 

[MeateaW]

I know someone that works at a bank.

You can guess most of their passwords by knowing how long they have been there.

They are forced to change monthly.

If you increment the number on the end by the number of months, wha la. That's the password.

The first part is often a slight variation on the same thing, but that's the default password policy at fault there.

 

[althaz]

TheRealMrRobot[/url]":eoaajxdt]

The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.

Not sure if I'm missing something here but does this actually suggest that not changing passwords is safer? Unless I'm misreading something; it sounds like their algorithm is able to accurately guess a transformed password using the original password. In that scenario, a user not changing their password would allow it to be accurately guessed 100% of the time.

It's pointing out that requiring frequent password changes does nothing to improve security - it has at best no and more commonly an adverse effect on security. The point of changing passwords is to limit the damage of a password being disxovered. This shows that this doesn't happen, the only effect is that passwords become much weaker.

Also, as a sidenote; if you were able to properly change your passwords regularly and remember them (so no post it notes and no similar passwords) would it actually be any more secure than using the same original password?

If this were possible (which it is not), then yes, of course.

 

[cbreak]

I have about 20 accounts at work, one account is the worst by far for me having to request resets.

- changes every thirty days

That's braindead!

- can't use the last 12 previously used passwords
- no dictionary words

That's totally reasonable

- no sequential number sequences
- no more than 2 of the same character in a row

That's braindead

- writing it down is a firing offense

That's somewhat braindead. Writing it down in a password manager is reasonable, on a postit note is extremely stupid.

- locks account on third incorrect attempt, requires a call to service desk to unlock

That's reasonable.

- minimum of 20 characters

That's more than reasonable.

- 1 Capital letter, 1 number, 1 special character minimum
- common keyboard patterns are blocked

That's quite reasonable.

Now I realize that a lot of these are good requirements, BUT because I have so many to remember, I can't create an easy to remember sequence, and I can't document it anywhere, and I use this account 2-3 times a week. I lock it all the time. It's impossible to remember as it's effectively random.

-> Password manager.

 

[Ushio]

My passwords are stored alphabetically Arstechnica is at 97 so yeah remembering them all no chance.

 

[mngerhold]

gavinhungry[/url]":26m1y6vp]Which to me means that my current and previous passwords are all being stored, somewhere, in plaintext.

One would hope that the sites store hashes, but organisations that ask for a subset of chrs from one's pw clearly don't! Verified by Visa (a curse on their houses - absurd pw length/content rules) is one.

 

[JimmiG]

In the end, passwords as a form of authentication needs to go away. It might have been enough 20 years ago, but these days, 2-factor authentication should be the minimum. Everyone is carrying around a phone anyway, which could store a private key, much like how BankID already works in Sweden, for example.

 

[Bombus]

mngerhold[/url]":1mt65fug]

gavinhungry[/url]":1mt65fug]Which to me means that my current and previous passwords are all being stored, somewhere, in plaintext.

One would hope that the sites store hashes, but organisations that ask for a subset of chrs from one's pw clearly don't! Verified by Visa (a curse on their houses - absurd pw length/content rules) is one.

Verified by Visa is an embarrassing security black hole - given its one and only actual purpose is to secure your visa card in online transactions, the lack of password security is incredible (from memory: 8 character *upper* limit, no special characters)

 

[Quitch]

I've tried without success to eliminate regular rotation where I work. Too many auditors and regulatory bodies still require it or else ding you in their reports.

 

[fluorogrol]

Well this is embarrassing, tarheels#1 is my password for everything.

 

[fishbait]

lint gravy[/url]":u0iwkchq]

The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered.

This reasoning needs a good deal more explaining. How does requiring password changes at a given maximum interval address this threat?

And it doesn't explain why, for example, some online financial institutions try to get you to do it.

Edit: Really? Downvoting a request for a more detailed explanation? When someone in turn provides that information in response, everyone reading benefits. Yet some people seem to consider asking questions harmful.

best guess is that changing the password presents a shifting target thats harder to guess or crack offline when done correctly the problem is that its never done correctly :/

 

[pmds25]

Mandating password changes often doesn't bother me. I use a password manager (not going to name it for fear of evoking a brand war). All my passwords are now 20 characters of random made-up characters (letters, numbers and symbols) and unique to each site - less on stupid sites that have a low maximum length.

It took me around half a day to change all my passwords but now I feel it's worth it - for the time it will surely save for when, inevitably, some site I used has a database leak, and I have to change *one* password.

 

[LostAlone]

kleshas[/url]":9ut22sd1]Surely the issue here is that PEOPLE aren't choosing a new password based on standard best practices, and NOT that changing passwords often is insecure.
Best practices being "use a tool like Keepass to create random passwords" and of course it's at least more secure to change passwords 'often'.

edit: I see at least a couple of others have made the same point.

I agree that password managers are in theory a better idea but in practice they sort of aren't.

The problem is that using randomly generated passwords means that no users will actually remember their passwords. At all. If you work somewhere where passwords are only used to log in then that's probably not too terrible but most places with a genuine need for security require you to log in every time you sit down and that means a lot of lost time as people fumble to find their password instead of simply typing it.

Also password managers just move the problem. Everything depends on the weakest link. If the person has, say, a weak, easy password on their phone to secure their password manager then it doesn't matter how good the passwords it generates are. It just becomes a more sophisticated version of writing it on a post-it note. Access to the post it is the weak link.

Honestly the big problem here is that businesses are cheaping out. It doesn't directly cost money to implement stupid password rules and they want to feel like they are doing something. But if you actually want security in this day and age then you need a two factor system that combines passwords with a physical object. And that's expensive and real ballache for IT because they have to deal with lost cards. But that's how you make a secure system. Anything less is just security theater.

 

[OmegaWolf747]

So if even changing our passwords doesn't protect us, what are we supposed to do?

 

[losergamer04]

Passwords are only as secure as:
1) the time it takes to break them; or
2) the time it takes to find them.

To make a password that cannot easily be cracked within minutes means most people have to write it down. 2FA helps but it adds cost, complexity, and hinders user experience.

 

[sqrt(-1)]

System: You must change your password and it can't be any of the previous 10.
Me: Change to "BadPassword0"
Me: Change to "BadPassword1"
Me: Change to "BadPassword2"
Me: Change to "BadPassword3"
Me: Change to "BadPassword4"
Me: Change to "BadPassword5"
Me: Change to "BadPassword6"
Me: Change to "BadPassword7"
Me: Change to "BadPassword8"
Me: Change to "BadPassword9"
Me: Change back to original password (which was strong).

Fortunately the system didn't check for similarities, nor did it prohibit changing the password too frequently.

 

[infected]

I worked for an insurance company just after I left school [Norwich union Direct > since been swallowed up and rebranded]

Their username/password policy was:


"The password is your extension number, the username is [initial] [surname]-if that doesn't work, try [surname2]"


We had all the PII you could imagine, we also took cc details and had access to them on file from then on.



It was years later it struck me just how bad that really was.

 

[mmiller7]

AM16[/url]":8rnpufs5]That can and should be mitigated by crypto based card authentication.

It costs money, it's a hassle to manage and implement at first and every upgrade, but it makes it so much easier and secure.

Except then they go and require long, complex passwords on the crypto-card to keep IT secure. So now you have a smartcard-token with a password-sticky on it.

 

[mmiller7]

I always love a good complex password policy. It's the most effective when the user has to generate so many new passwords with varying attributes that you can't remember which one it finally accepted when it does.

Yes, I've had this happen to me.

Here are some good ones I've run into...which get stacked on top of the usual "15+ characters with 2 from each of the 4 categories" nonsense.
-No numbers/punctuation at end
-No capital letter at beginning
-No repeating characters (e.g. "ss" and "pp" in Mississippi)
-No more than 2 consecutive letters in anything in your profile (e.g. TheStupidRules is too close to my first name Matthew)
-Not allow more than 2 consecutive letters substring from previous X passwords (also implying the keep old ones in readable form)
-Can't reuse last 30 passwords (really?)
-No dictionary words longer than 4 letters (e.g. TheStupidRules)
-Can't be "predictable" (I'm not even sure what this means, nor did the helpdesk know - but the computer sure rejected it)
-Nothing that looks like a date or year (e.g. any 4-digit sequence of number looks like a year)
-Has to meet complexity and length...but only validates first 8 characters for complexity
-Has to be "exactly" any specific number of characters (8 seems popular)
-Can't be longer than <some length> (then make the text field shorter?)
-No special characters (letters/numbers only)
-Can't have certain special characters (space, backtick, ampersand, asterisk, exclamation, equals)...not sure I understand this unless they are asking the user to please sanitize their own inputs and it makes me want to use Little Bobby Tables as my password
-Requiring the user to select a machine-generated password from a displayed list which are supposedly all pronounceable but look like jibberish to me (e.g. Fah-Jun-Sah)

This is good too... http://www.netfunny.com/rhf/jokes/92q3/selpass.html

 

[mmiller7]

althaz[/url]":3fkt6tir]

lux113[/url]":3fkt6tir]My passwords effectively look like nothing but random letter number symbol sequences. No words at all. I think that's as safe as it gets.

It's not that difficult to remember a pattern like that when it's between 12 and 16 digits. And yes, I use the patterns for changing the password suggested in the article, otherwise there'd be no possibility of remembering them with our constant pass changes.

If you use a pattern to pick random characters...then they aren't random. They are probably also not hard to crack. You have to remember that a dictionary attack doesn't use the oxford dictionary, it uses a *password* dictionary. So you've picked a password system that's hard for humans to understand, but likely trivial for a computer to crack.

Relevant XKC

Disclaimer: Don't use "Correct Battery Horse Staple" as a password - but *DO* use something like it. Computers still can't crack five-six random words strung together and might not be able to in the next decade (provided you use good words of course - "staple" is a pretty good one).

Except one minor issue, most systems now use a dictionary (as in a very big list of words from the oxford dictionary) as the "you can't use this" substring validation list. That means you have a much smaller set of words/phrases you can use. Otherwise I'd agree with you - phrases are much more complex than "passwords" are. This also fails when you have a system that can't cope with more than like 8 characters and requires high complexity (yes, these STILL exist)

So in the end, people end up doing some stupid formula to change it and defeating the rules making a bad password such as "the current month followed by the current year, with a period breaking it every 2 letters and numbers to defeat anti-date validation". That would work for a LOT of systems but I wouldn't call it secure by any means.

EDIT: Bummer, we can't use "spoiler" tags to collapse big chunks in posts anymore?

 

[Riffa]

As an alarm tech, you are working on passcodes all day. What I adopted is a pattern password system that is easy to remember, fast to type in, easy to expand on, and can be written down plain site.

For example wT7b would be password wsxdrew typed in as a triangle using 7 keys with b as a wildcard. If I say it is 9 keys, then I know it is a larger triangle. But you can write it out any way that is easy for you to remember.

Although this is a very simple triangle pattern just to demonstrate, you can use Z, N, W, or any pattern you want. And because it is a sequence of characters rather than words, common password guessing is eliminated. It is not the do all for all applications, but it is helpful in many.

 

[mmiller7]

Riffa[/url]":ezirms79]As an alarm tech, you are working on passcodes all day. What I adopted is a pattern password system that is easy to remember, fast to type in, easy to expand on, and can be written down plain site.

For example wT7b would be password wsxdrew typed in as a triangle using 7 keys with b as a wildcard. If I say it is 9 keys, then I know it is a larger triangle. But you can write it out any way that is easy for you to remember.

Although this is a very simple triangle pattern just to demonstrate, you can use Z, N, W, or any pattern you want. And because it is a sequence of characters rather than words, common password guessing is eliminated. It is not the do all for all applications, but it is helpful in many.

Had to look at my desk phone to figure that one out.

The term I've heard for that is "keyboard walking"...it's specifically banned in our passwords and if they notice someone doing that when setting a password at the helpdesk they are supposed to make you change it again. Some systems are even smart enough to prohibit more than 2 consecutive adjacent buttons when validating a password.

That's similar to stuff like "QAZxsw" which is a "U" shape going down from the letter Q and back up to the W on a normal keyboard.

 

[mmiller7]

OmegaWolf747[/url]":3gd3xnu6]So if even changing our passwords doesn't protect us, what are we supposed to do?

Just pull the plug on the computers, then they're secure.