Monday, October 11, 2010

Does expiring passwords really help security?

Change is Easy
Originally uploaded by dawn_perry
I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:

  • It's easy to install malware on a machine, so the new password will be sniffed just like the old.
  • It costs more: frequent password changes result in more forgotten passwords and support desk calls.
  • It irritates users, who will then feel less motivated to implement to other security measures.
  • Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...
And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be the first large-scale study on password expiration, and they found it wanting.

They focus especially on the idea that consecutive passwords will be related, and build a system which could try a variety of transforms such as changing which letter was uppercase, duplicating letters/numbers/symbols, and even "leet" translation (eg: raven becomes r@v3n). The implications of their results are fairly clear and potentially disturbing for those who thought password changing was providing extra security in the case of a breach:

  • With offline attacks: "On average, roughly 41% of passwords can be broken from an old password in under 3 seconds."
  • With online attacks: "An average of 13% of accounts can be broken (with cer- tainty) in 5 online guesses, and 18% can be broken in 10 guesses."
  • "As we expand our consideration to other types of transform trees, we would not be surprised to see these success rates jump significantly."
In essence, they've shown that changing passwords doesn't provide nearly as much security as system designers had hoped, and they suggest we abandon the practice rather than continue to annoy users with a policy that has been proven ineffective.


Eivind said...

It's worse than that, actually. Passwords are, generally speaking, obsolete. The recommended way of handling passwords, is something like the following:

Pick passwords that are fairly long, and a good mix of letters and other symbols. Use different, unrelated passwords for each purpose. Do not write the passwords down. Change the passwords regularily.

The problem with this is, that human beings are unable to do that. I certainly have more than 100 accounts of various types. I am not able to remember 100 unrelated, complex passwords at all, and asking me to change them all regularily, is COMPLETELY out of the question.

Instead, most people use the same password everywhere, and never change it. If you're lucky, they MAY have 2-3 passwords and for example use one of them for job-related and another for private stuff.

It's only getting worse too, machines never get slower. You'll need about one more bit of real entropy in the password for every year, just to maintain security. With passwords being non-random, this translates to adding one character to your password something like every 4 or 5 years.

Gr0w$hume- is probably an above-average password, but it's still a LONG way away from random. "grow" is an english word, and "hume" is an english-sounding word-fragment.

If 8 characters, of a quality similar to the example above, provides reasonable security today (I actually question this, especially for offline attacks), are we going to insist on 9+ starting 2015 and 10+ 2019 ? Just how much of a hassle can you expect users to put up with -- WITHOUT choosing more banal passwords to compensate ?

And for how long, can you claim that the users is the problem, since they're not following advice - when that advice is in practice IMPOSSIBLE for human beings to follow ?

2-factor, is the way to go. Google got it right. My debit-card with a 4-digit pin, offers good security, because you need the pin AND the physical card, which is a -huge- help against many attacks.

Terri Oda said...

While I totally appreciate your enthusiasm on the subject and hopefully some of my readers will appreciate your rundown of issues in password authentication... I should point out here that I do actually work for a research lab which includes a number of people working on cutting-edge alternative authentication techniques, the effects of password interference, and other issues in authentication and usable security. My own 100ish students took part in the first long term, large-scale study of graphical passwords in the passpoints style, and I get to hear a lot of cutting-edge (often not-yet-published) research through work.

So what I'm getting at is that explaining issues with password authentication to me actually borders on insultingly patronizing.

Likely you just weren't aware, or maybe you were misled by the tone of this blog since I use this blog as a place to describe research ideas for a wider audience. But yeah... you should skip the basic explanations and go right to "have you seen this new research?" in the future!

You might want to take a look at some of the publications that our research group has done on the subject if your'e looking for starting points for discussion -- I think you'll find them very interesting.