Thursday, September 27, 2012

Password Expiration

One common bit of advice with respect to security is to require frequent password changes.  This "best practice" has persisted for decades despite some prominent criticism.  But, is password expiration actually helpful or not?

Are there benefits?

Password expiration has a negligible effect on limiting or preventing malicious behavior.  The ability to steal passwords often implies privileged access to your systems or network.  If the attacker has administrator rights, access to the password database or the ability to sniff traffic on your network, he can install a backdoor or continuously steal passwords in order to avoid the expiration window.  That’s assuming he even needs continued access to accomplish his goal.  If the attacker only needs short-term access, which is often the case, password expiration is irrelevant.

In what circumstances will expiring an account password actually stop an attacker?  What threat model does password expiration protect against?  One possibility is that attacker wants to steal credentials so that he can resell them (e.g. passwords from a banking website).  With a short expiration (e.g. 60 days), the value of the passwords would depreciate quickly and some of the passwords might expire before the buyer is able to make use of them.    But, this assumes some disorganization on the part of the buyer or seller.  If the seller is able to pass the data on quickly and the seller is organized and ready, the expiration will have a very minimal impact on their operation.

Another (almost) positive case for password expiration is to limit damage where a single password has been compromised using some method that doesn't provide another avenue for continued access by the attacker.  For instance, a user might have shared his password with another user against company policy.  Forcing password expiration would ensure some limit on the time period over which the second user could share the account.  But, password expiration is a pretty poor way to combat this.  There is nothing preventing the user from sharing his password a second time or preventing the second user from doing damage before the password expires.  The better approach is to hold users responsible for their own accounts.  Users are less likely to share passwords if they know that their account activity is logged/tracked and that they are liable.

In other cases, there is even less of a benefit.  If the attacker just wants to steal the data on your systems, the passwords are only relevant to the extent that they help him get to the data.  Once he has the data, the passwords don’t matter.  If he wants to use the passwords to break into other sites, he doesn’t care about the expiration policy at your site.  If the attacker wants to deface your website or use your network to launch an attack against someone else, he probably doesn’t plan on having long-term access.  If the attacker wants to maintain access to the system--and inexplicably has no other way of maintaining his access--he only needs to re-steal the passwords about once a month with a 60-day expiration window.

Even when we have a situation where expiration is potentially helpful, it may not help.  About 41% of the time, an attacker can crack a password in just a few seconds if he knows a user's previous password.  Storing password histories could make this even weaker.
So password expiration helps to limit the time frame in which an attacker can do damage after discovering a single password when the user is not one of the 41% whose passwords are easily predictable based on previous passwords and when the attacker also has no way to discover additional passwords, gain administrator rights, or otherwise secure further access to the system.  That's a pretty narrow benefit.

Negative consequences

It gets worse.  Frequent password expiration encourages users to pick weaker passwords and/or write them down*.  That means we have to weigh any potential benefit from password expiration against the negative consequences of poorer password selection and management.  If the user writes his password down and stores it in an insecure location, it is vulnerable to any local attacker (e.g. malicious insiders).

Using the NIST guidelines for password strength, every character of a password has at least one bit of entropy.  If a user picks a password that is even one character shorter than he would have with a longer-term password, the time to crack that password is, at the minimum, cut in half.  The NIST guidelines are pretty conservative.  If users select passwords that are more random, then the consequence of weaker password selection due to expiration is greater.  Removing a random character from a password  makes that password dozens of times easier to crack.  Reducing the character set is similar or worse.  If a user picks passwords in some predictable sequence or pattern to cope with the burden of expiration, his password selection may be thousands or millions of times weaker.

Even without considering user frustration and support costs, expiration looks like a bad deal.

Note: I'm not opposed to people writing passwords down or storing them.  I think that using a password manager or writing passwords down and storing them in a secure location is a positive thing if it helps people to choose better passwords and avoid reusing passwords.  But, this requires some education.  Most users who are writing passwords down because they find the expiration policy too onerous are likely to stick them in an unlocked drawer, under their keyboard, or on a post-it near their monitor; that's bad. 


  1. Password expiration is definately not the solution for malicious attempts, but your owerreacting with scrapping the need for the activity.

    Weak passwords and post-it notes with "unlock-it-all" passwords is everyday threat that is mitigatable - frequent scheduled/unscheduled audits and password complexity policies.

    More under question should be why this user, who has been compromised, HAD the admin level access and where the hell had been all the controls that should have raised red alert.

  2. What problem do you think password expiration solves? Does the benefit outweigh the added support costs and the increased vulnerability from weaker password selection? We need to get away from blindly adhering to "best practices" and intuition and use a more rigorous analysis in deciding what security measures are appropriate.

    1. Password expiration lowers chance for user to use one password for everything - their gmail, personal blog, workspace etc, for their personal life - shure, go ahead use password123 for everything, but that's solution in corp enviroment.

      And troublesome weak passwords must be eliminated with apropriate password policies.

    2. Expiration can prevent/deter re-use, but it requires the system to maintain a password history which makes it easier for attackers to crack current passwords. Expiration also encourages users to pick weaker passwords and/or to use patterns such as Password1, Password2, etc.

      Complexity policies and user education would do a lot more to improve the state of security. If you need more, use two-factor authentication.

      My argument isn't that expiration provides no benefit, it's that the benefits don't come close to outweighing the costs and drawbacks.

    3. Holding users accountable for their accounts is way more admnistrative burden. Users forgetting their new passwords holds close to none maintenance, have a 4K userbase here and it's just a matter of educating and not spoiling your users with easy ways out.
      Users choose most absurd weak passwords neverless there is (or not) password policies or password expirations, not expiring passwords definately will not give you positive change in used password complexity - been there tried that.

    4. Appreciated the twitter comment exchange earlier and wanted to try to write out a longer response here.

      I don't disagree with your point that the benefits of password expiration are hard to measure. We can make some assumptions, like a guess that the vast majority of passwords changed through expiration were not being subjected to unauthorized use at the point at which they were changed. Either these passwords hadn't been exposed to capture or nobody was watching when they were. So in these cases there was no actual value delivered, only the costs associated with forcing changes.

      Building on that, the cases where passwords were captured and used before the password expired also show this control providing little value. This assumes that whatever the attacker wanted to do (e.g. steal data, steal money, install backdoor, etc.) was completed within their window of access. Again in these cases there was probably little value provided but we still experienced the costs of expiration.

      So the main cases where password expiration provides value is when the password is changed after it was exposed but before the attacker can carry out any of their nefarious activities, or at least the more damaging ones. This seems to mirror your line of thinking. Where we appear to differ is how often and under what circumstances this can happen.

      I would be hard pressed to provide any statistical data showing what percentage of potential attacks were thwarted because the password attempted had been changed due to a regularly scheduled expiration. There are certainly stories out there about password exploitation that happened because a password was still good after a year, or whatever other period of time had passed, but that's not hard data. I'm sure we'd both love to see a statistical timeline showing how long it takes on average from the capture of a password to the damaging use of that password. Unfortunately I don't think it's likely we'll find that data any time soon.

      I see it happen enough to justify reasonable (not shorter than 90 days) password expiration policies. Implementation of expiration controls should include user education on how to create unique and hard to guess passwords along with technical controls that enforce these guidelines. I don't believe that poorer password construction is a necessary result of more frequent password changes, even if it is more likely by default.

      You are right to question the value of these policies, but I think it is too soon to declare them worthless. This is an area that can use further research and measured testing by organizations implementing (or not implementing) password expiration.