Date: Thu, 21 Apr 2016 11:04:46 -0400 From: Matt Weir <cweir@...edu> To: passwords@...ts.openwall.com Subject: Re: Mandatory password changes - DIEDIEDIE! My biggest issue with mandatory password change policies is decision makers often use the wrong threat model when considering if it is worthwhile. The theory that mandatory password change policies help protect against an advanced adversary, (what people typically think of as a hacker), is as far as I can tell, unfounded. I don't think I need to go into this point in too much detail considering the current audience here, but if you are looking for published studies on how hard it is to crack passwords with a PW change policies in place, the following paper from the University of North Carolina is the gold standard: https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf As far as the opinion of industry experts/ red team members goes, I'd recommend checking out any talk from Rick Redman. Here is a good example of that: https://www.youtube.com/watch?v=5i_Im6JntPQ While much more anecdotal, I've personally never talked to anyone performing penetration tests or in the password cracking community who said, "I would have broken into that system, but I was stopped by a password change policy". If anyone here has a story about password change policies being effective against hackers, I would be *highly* interested in hearing about it. >>2. COUNTER ARGUMENTS So when it comes to pro arguments for password change policies there are two other ones I can think of, one of which I'll vouch for. First though one that I'm not a huge fan of. 1) Mandatory password change policies can help protect sites from users who employ password reuse across multiple sites. Users re-use passwords. This shouldn't be a controversial statement. Having a policy that users must use a unique password is also unenforceable. Yes a site can add that in their EULA, but there's no way they can guarantee a user has a unique password without assigning one to the user. This is where password change policies come in. The thinking goes that by forcing the user to change their password the site can eventually force a user to change their password to something else that isn't the same as other passwords they have used. My biggest counterargument to this is that attackers have taken this into account when re-using stolen credentials against other sites. There was a great article about this that for the life of me I can't find, though if I do I'll go ahead and post it, that talks about variations of stolen passwords being used against accounts on a popular gaming server,m (I'm pretty sure it was RIFT). Long story short, there is some truth to this theory for making users change their passwords, but the protection provided is usually more limited then expected and the user frustration is high. A counter-argument could even be made that this encourages password re-use instead since users are less likely to use a unique password if they have to change it. 2) Password change policies protect against insider threats and unskilled attackers This is a reason that I do think is valid in certain settings. People share their password with co-workers. Sometimes their co-workers then abuse the access they have. Often the co-worker in question is not a skilled hacker. I can't point to any public data on this, but I have heard of multiple instances where attackers were detected based on them locking a legitimate user's account due to trying old passwords after the user changed their password. There's almost certainly even more instances where the attacker might not be detected, but due to the password change they can no longer carry out their attack. Now in this instance most of their "attacks" are along the lines of reading a colleague's e-mail, but still that's something that's worth protecting against. Due to that threat model I still think mandatory password changes have their place in a corporate environment. I'm not a huge fan of them for websites though. So this gets back to my original point that you need to have an accurate threat model in mind when designing these policies, and I suspect most policy makers are using the wrong threat model. Matt On Wed, Apr 20, 2016 at 4:43 PM, Per Thorsheim <per@...rsheim.net> wrote: > *** BACKGROUND *** > > I have already told quite a few that I am gathering support for a joint > statement during PasswordsCon @ BSidesLV in Las Vegas on August 2-3. > > The statement will simply be something like "stop changing passwords > frequently". > > Frequently changing passwords may have worked 20-30 years ago, when most > people only had one, or perhaps a handful of usernames and passwords. > Today we have on average 25 (Norwegian survey presented at PasswordsCon > Oslo, 2012), and we'll have even more in the future. > > We can no longer require users to have long & complex passwords, unique > to every service & site, and additionally ask them to change them every > 30-60-90 days. It create more problems than it solves, it is annoying, > counterproductive and may result in users deliberately break security > policies in order to get their work done. > > I have said this for years. > > *** ARTICLES / RECOMMENDATIONS / RESEARCH *** > > In the fall of 2015 the British CESG, part of Britain's GCHQ, released > new guidance on password security. Perhaps the biggest surprise was them > changing their advice on regular password expiry. In this article from > April 11, 2016, they give the short explanation why: > https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry > > On March 2, 2016, Lorrie Faith Cranor at FTC (formerly at CMU), wrote > this blog post where scientific research also says that mandatory > password change isn't a good idea any more: > > https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes > > I know there is tons more of opinions, (academic) research, penetration > test results etc that shows the exact same thing: mandatory password > changes should die ASAP. It would be for the better for security AND for > usability for all of us. > > I also know that I already have with me security professionals, hackers, > researchers, companies and organisations on this, and if you do agree on > this I'd like to have you onboard as well. > > *** HOW TO CONTRIBUTE *** > > 1. PRO ARGUMENTS > If you have any kind of original statistics, research, well-written blog > posts, visualisations or anything else that may contribute to this, > please let me know. I would like to gather links and organize them into > a nice FAQ. > > 2. COUNTER ARGUMENTS > Just as important, I need to collect "all possible reasons" for WHY you > or anyone else would like to continue enforcing mandatory password > changes on a frequent basis, say once a year or more often. Please, > don't reply with "compliance", or "law". We can and will change that, > even though it may take some time to apply common sense globally. > > A reasonable argument could be a need to clean up a large user database, > where login time/date info doesn't exist, or cannot be trusted. By > setting a password expiry time/date, account administrators may identify > unused accounts after a period of time for closer inspection, > disablement and finally deletion. > > I will also try to gather as many of these counter arguments into a FAQ > as well, with reasonable advice on why/not for as much as possible. > > ---- > > Any other suggestions highly appreciated, this is work in progress! > > Best regards, > Per Thorsheim > Founder, passwordscon.org > > > > Content of type "text/html" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.