Password Expiration Policies and Why I Don’t Like Them…
TL;DR:
> People just keep making different versions of the same weak passwords.
> Fix it by generating random passwords, use 2FA and a password manager.
What is it:
Password Expiration policies are when an organization sets in place, a timeframe, for which the password you set to keep your companies' data safe to expire after N days. This threshold is typically set to 90 days, in some cases less, but I’ve never seen it go longer than 90 days. At one point this was the industry standard. It began to fall out of favor a few years back, and for good reason.
Why did they think it would work?
The logic behind it was/is, in theory, if some log in credentials got in the wrong hands then those credentials would not be valid for very long. The idea was that you would essentially be creating a moving target. Also, keep in mind that this policy is more than a decade old. At that time, it was estimated that a bad actor would need about 90 days to crack a password for someone working at a company. So, they got into the lazy habit of just making people change their passwords every 90 days. Also, in an enterprise setting, you enter your password(s) in so many systems, some of which are out of your companies control, that the password could've been captured in any number of those logins.
Why it failed:
A couple of factors came into play that contributed to this policy falling out of favor. One of which was the advancement of technology, tech moves very fast, the same defense that worked 5 years ago is going to, in most cases, have a huge exploit. Secondly, businesses move VERY SLOWLY, like painfully slow. When a known exploit exists, companies will, oftentimes, delay it as long as they can until the rubber hits the road. Then they’ll scramble into action to try and put out the fire. When they could have just had a 10-min meeting with a security professional on best practices. Lastly, one of the main contributors to this policy not working… humans. Humans are lazy, I don’t mean this to be mean. But for most, going through the proper steps to generate a safe and secure password is not far up the list of priorities. Especially, when you know you have an IT team to lean back on if things don’t go your way.
In theory, password expirations don't sound half bad. But, the end users are humans, and humans are bad at random. It does not matter what it is, people are just bad at selecting ANYTHING at random. It does not matter how intelligent the person is, the brain will predetermine what it wants. Let’s say, Dwight at his paper company has to change his password on day 90, his original password was IL0v3B33T5! (Dwight is obsessed with beets, he even has a beet farm) and he wants to change it to a password he will easily remember but also strong, but this is not a priority for him. So what he will do, is just append a number or special character to his first password. So now, Dwight’s new password is now IL0v3B33T5!#, fortress secured! But seriously, this is no better than the first one, considering that these permutations are probably on some database of leaked password somewhere. Dwight should generate his passwords using software, like the password generators in password managers, but if I was a betting man, I’d put $250 on Dwight sticking with a similar password.
How do we get around this?
Ideally, in 2023, we should be moving away from this model. It had its time and needs to be laid to rest for good. But, back to the solution: A randomly generated, strong password in conjunction with a 2FA of your choice. The tools you use to implement these is going to change depending on the business and the programs they decide to use. But one thing is for certain: unless there is a known breach, the passwords do not need to expire.
If I were going to recommend any enterprise tools for completing these jobs, they’d be any of the following:
