People sometimes question why we have a policy that requires people to change their passwords every six months. The question is often asked following publication of articles suggesting that abandoning password expiry should be considered. This blog entry explains the current position which has recently been reviewed and accepted by ISSG, the University group responsible for Information Security. We would also welcome comments on the subject.
The current policy
It is University policy to change passwords every six months. The policy has been enforced for staff for over six years and the processes for managing this underwent improvements and modifications two years ago. Some of the improvements were as a result of user feedback and others were to pave the way for rolling the process out to students; this process began at the start of the 2016/2017 academic year.
Why do we change passwords?
We have a steady stream of accounts where usernames and passwords have been stolen and used for a variety of criminal activities. Last year we detected 172 compromised accounts. In addition to these, there are probably more compromised accounts which we have not been successful in detecting.
As an IT security problem we have three broad types of issue surrounding stolen passwords to deal with
- Accounts that are are misused straight away in ways that are easy to detect.
- Accounts that are misused some time after they were compromised or used at an undetectable level for a considerable period of time before detection (approximately 25% of detected compromises).
- Accounts that are compromised and the compromises are not detected.
Periodic password changes are effective in significantly reducing the misuse in the second and third categories.
In addition to the reasons outlined above, there is a requirement to enforce periodic password changes by one major online journal supplier in order to access a large proportion of recent online academic journals. Such access is very important to the University.
NCSC are recommending no password changes, surely we should be following their advice?
The National Cyber Security Centre has been widely quoted as recommending that periodic password changes are not enforced. The idea first appeared in their publication “Password Guidance: Simplifying Your Approach”. This was widely reported when first published and more recently has been quoted in other blogs and press releases.
The problem is that only the headline advice is usually reported without looking into any of the detail. The full advice on the issue recommends not enforcing password changes but using “better” alternatives instead. In summary these are:
- Monitor logins to detect unusual use
- Notify users with details of attempted logins, successful or unsuccessful; users should report any for which they were not responsible
Monitoring for all types of unusual use in a University in a useful and comprehensive way represents something of a challenge in a diverse organisation the size of our University. This is not the type of organisation where the majority of people always login from the same place or following regular patterns or hours. There are some opportunities to spot some unusual use, but these are very limited.
The second suggestion in our opinion is unlikely to be effective in practice. There are some technical issues that make this difficult, but the idea of bombarding people with notifications every time their credentials are used does not seem to be a very practical one.
Most people would receive several notifications per day as their mobile devices connected to the University wifi, they logged into or unlocked their PCs and any time they used applications such as Canvas, or accessed journals that require logins. Faced with a large number of notifications per day, it is likely that these would be ignored; in these circumstances the occasional extra login would not be not spotted.
I suspect that this second suggestion would have a better chance of working in an environment where people logged in perhaps once or twice a day on a single system.
Faced then with the advice that we should use “better” alternatives which appear to be neither practical nor effective in a University environment, it does not seem sensible to abandon the periodic password changes.
Even if you could implement good alternatives you would still be faced with the issue of the undetected compromises.
The advice from the NCSC does offer many other useful suggestions to consider and it is likely that some of these will be implemented in some form over time.
Forced password changes may lead to weaker passwords
There is good research evidence to suggest that frequent forced password changes tend to lead to choice of weaker passwords. Whilst this is of some concern, in the current climate most (if not all) passwords are compromised by being stolen through use of phishing or malware. In these circumstances, some weakening of passwords used is an acceptable trade-off of risks as the strength of the password has no bearing on how likely it is to be stolen. However, we have done what we can to mitigate this side-effect of forced password changes.
The weakening of passwords does appear to be related to the frequency of change of passwords, so the University has chosen a relatively long period of time between password expiry.
We have started giving plenty of notice of a required password change (28 days with reminders). One of the main reported reasons that people chose weaker passwords is that with many systems they are asked to change the password at the time it expires. If people are put under pressure to decide on a new password immediately without time to think, poor password choices are more likely. With a relatively long timeframe, people have a chance to think about the new password without rushing into a change. An example of our notification is available here.
We do also have measures in place to make it difficult to crack passwords. One common technique is to us a “brute force” attack, trying hundreds of thousands of different passwords until one is found that works. Accounts are locked for a period of time after a relatively small number of failed attempts, making such techniques unlikely to succeed.
Two Factor Authentication
Two factor authentication will be increasingly used by the University over time. This requires a second form of authentication to access services and will lessen the impact of a password compromise for the services that will be protected by it. Whilst this is useful in offering a second layer of protection and hence much better security for the services that use it, it will be many years before this can be applied to all services. However, whatever the two forms of authentication are, it does not solve the underlying problem of compromised authentication credentials.
What about alternatives to passwords?
Convenient alternatives to passwords are being developed and when these become practical consideration will be given to deploying them. Many alternatives rely on biometrics (fingerprints, etc) or devices that generate passcodes.
Where practical and appropriate, alternatives to passwords are starting to be used. For example, fingerprints on mobiles devices that support them will be allowed optionally instead of passwords with the new mobile device email application, MobileIron, which will be replacing Good in the near future.
It is becoming fashionable to predict that the use of passwords is dying and that relatively soon we will be using alternatives. These predictions do overlook some of the advantages of passwords; they are cheap to implement and, unlike fingers and eyeballs, are easy to change if they become compromised.
It is, however, notoriously difficult to predict patterns of use in IT. People have been predicting the imminent death of the qwerty keyboard layout since I was a student. Many years later I am still waiting.
1 thought on “Password Policy”