If you have ever worked for an organization that uses Microsoft-based systems, there is a high likelihood that your IT or security team has implemented a policy that occasionally forces you to create a new password. Years ago it was every three months, then every two, and so on. This policy was heavily encouraged by Microsoft, but as of May of this year, they have reversed course.
According to this Microsoft post, there are two reasons for the shift, with the overarching theme being that only meeting the minimum for security best practices is a surefire approach to failure. And by setting defaults, it encourages organizations to follow practices that may not best meet their own needs.
If it's a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn't that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days - and used to say 90 days - because forcing frequent expiration introduces its own problems. And if it's not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.
In short, Microsoft is saying that the default suggested time-based reset prompts for passwords are too long and when humans create passwords it creates a weak point.
“Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don't believe it's worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines."
In response to this change we asked the PhishLabs team if they had any specific viewpoints on the matter and had some interesting feedback. In total, the team had a wide-range of support (or, at least semi-support) for Microsoft's policy change with a healthy amount of debate on each option.
Password Requirements Misused
It's time to create a new password. Your system requires the password to be eight characters long, use one special character, and at least one number. So what does the user put in place? Software Engineer Joshua Temple says it comes down to users going the easy route:
“Users don't understand the concept of a secure password - if you can remember it, it isn't secure. Most websites say ‘Must use one capital letter, special character and a number, and be eight characters long and do a little jingle', which then, typical user uses Somewords1234! instead of 71bzcWcN^BJ91*uMO"
Temple suggests that if a user falls into the above category, it is a safe assumption they do not subscribe to the concept of two factor authentication, and even worse, there is a high likelihood this individual is reusing said poor practices across multiple services. So, even if on the off chance they use a different password for a sensitive account, in some shape or form, it is associated to a poorly secured account. One breach of an account owned by this ‘type' of user, leads to a waterfall of compromised services. Changing passwords on a routine basis is a great practice, but it is only as secure of a practice as the password itself.
Password Reuse is Still The Biggest Risk
Formatting, length, and complexity place a large role in how secure a password can be.
“thisisasecurepasswordregardlessofifyouthinkitisornot is orders of magnitude more secure than 1jcC*sO8)," said Dylan Sachs, PhishLabs' Digital Risk Protection Product Manager. “Complexity (caps, symbols, etc) is a minor factor in determining how secure the password is, as 99.999% of brute force attempts are not some dude trying 1111111 then 1111112, etc. but someone trying a known password from a different site."
No matter how secure a password is, if the user is going to reuse it in multiple places, this poses a large security risk. By enforcing a specific complexity in the password and having time-based password changes, it just encourages users to continue to reuse the password. This is similar in nature to what Microsoft said was a component in their removal of the policy.
“Unfortunately, corporations have a misguided perception that complexity (alpha + symbols) is the bees knees, because as humans, we see 9D02j*aos1@ as far more difficult than someoneistotallynotguessingthispassword and of course, once one thought leader says ‘We'Re DoInG iT tHiS wAy', everyone else jumps on it as best practice."
The Need for Password Protected Authentication Devices
One alternative to writing down passwords on a post it note is by using password wallets. These aren't particularly new as browsers have, in some capacity, been able to store passwords on local machines for some time. Platforms like LastPass and PassPack secure passwords across devices, and some will even suggest strong unique passwords, too. The shortfall here is that if someone gains access to your wallet, you're in big trouble. On top of this, the wallets are still not the most user friendly, so there could be resistance to adopting them.
According to one of our engineers, “until we near universally use password protected authentication devices (ed: 2FA) for our account logins, most people will not rely on password keeping apps."
In the past year or two though, there have been some advancements in this department with the Yubikey and Google Titan, but they are not without their own bugs and bumps. In order for these keys to work and for mass adoption of password keepers or wallets to occur, there are three pieces to the puzzle.
- Offer a secure token that can be lost/stolen without causing a total loss of security
- Offset lazy people who don't want to type computer generated passwords from the storage on a device they carry (automatic vs manual)
- People don't always login from the same devices, so relying solely on password manager apps is risky if you need to get into an account, but you are away from your regular devices
Unless there is some sort of token, a device that can just as easily go with you as your house keys, strong computer generated passwords and cloud storage systems may not take off due to the increased work.
Stop Using Your Brain
For most organizations there is a balance between ease of use and security, a hypothetical seesaw, which takes us to our final point of view, our IT lead, Shelby Baylis. While users may want to fly through logins and have everything easily accessible, organizations need to decide which end of the seesaw should hold the most weight. For a company like ours, Baylis posits that our organization should always tip on the side of stronger security.
Because of this, Baylis feels that means regardless of Microsoft's shift in policy, that organizations should still use time-based prompts to force users to reset their passwords.
“Many will assume that a complex, memorable password is preferable to a regular interval. The solution is neither. Stop using your brains to create a password. Use a password manager whether it is a local one like KeePass or a cloud-based one like LastPass. Let them generate a 20+ character password for you and you just rely on your brain to change your master password on a regular basis."
This is sound advice from someone who has to put up with actual users in a highly secure environment. Of course our other engineer still holds a valid point regarding mass adoption from consumers, that enterprise organizations should draw a line in the sand and enforce whatever policy makes the most sense for their needs.
“A regular interval for a password change is important because if your account is ever compromised in a breach and we hear about it until after the fact, which is the case for most breaches, it is of no consequence because that password expired oodles ago since we have a password expiration policy. Stop trying to use your brain on generating passwords. Use the password manager and its built in generator," said Baylis.