I’m seeing a lot of traffic about a story in the Boston Globe and taken up elsewhere suggesting that changing passwords is “a waste of time”. Well, actually, the study by Cormac Herley doesn’t exactly say that, and I suggest that you read the actual study to see what it does say. It’s actually well worth reading and makes some excellent points, though it’s not a particularly new paper, and some of the points it makes are much older.
Should you stop changing passwords? Well, you probably don’t have much choice, in general. You should certainly use strong passwords, where possible (some systems actively work against you in that respect, by only accepting limited password options). Randy Abrams and I wrote a paper for ESET last year that discussed some password strategies, and one of the points made there was:
“It’s sometimes useful to consider whether frequent changes are really necessary or desirable. After all, if you’re encouraging the use of good password selection and resistance to social engineering attacks, and making it difficult for an attacker to use unlimited login attempts, a good password should remain a safe password for quite a while.”
I don’t think that the “change passwords every thirty days” mantra has been as universally enthused over by security specialists as the Globe suggests. System administrators (not always the same thing as security specialists) do often enforce such measures, of course. But while I was working on some notes for a journalist today on social engineering, I came across this quote in a paper I presented at EICAR in 1998. (I’ll have to put that paper up somewhere: it’s actually not bad, and not particularly outdated.)
“Documented research into social engineering hasn’t kept pace with dialogue between practitioners, let alone with real-world threats. Of course password stealing is important, but it’s [also] important not to think of social engineering as being concerned exclusively with ways of saying “Open, sesame…..”
Even within this very limited area, there is scope for mistrusting received wisdom. No-one doubts the importance of secure passwords in most computing environments, though the efficacy of passwording as a long-term solution to user authentication could be the basis of a lively discussion. Still, that’s what most systems rely on. It’s accepted that frequent password changes make it harder for an intruder to guess a given user’s password. However, they also make it harder for the user to remember his/her password. He/she is thus encouraged to attempt subversive strategies such as:
- changing a password by some easily guessed technique such as adding 1, 2, 3 etc. to the password they had before the latest enforced change.
- changing a password several times in succession so that the password history expires, allowing them to revert to a previously held password.
- using the same password on several systems and changing them all at the same time so as to cut down on the number of passwords they need to remember.
- aides-memoire such as PostIts, notes in the purse, wallet or personal organizer, biro on the back of the wrist…..
How much data is there which ‘validates’ ‘known truths’ like “frequent password changes make it harder for an intruder to guess a given user’s password”? Do we need to examine such ‘received wisdom more closely?”
Nor do I claim that those thoughts were particularly original: luminaries like Gene Spafford and Bruce Schneier have made similar observations. That doesn’t mean you should accept uncritically what they, or I, say. But it’s always worth wondering if received wisdom is really wise.
And as Neil Rubenking points out, an attacker isn’t going to waste time on trying to crack your password with brute force if he can trick you into telling it to him, or into running a keylogger. Which takes me right back to that social engineering paper… [Update: now available at http://smallbluegreenblog.wordpress.com/2010/04/16/re-floating-the-titanic-social-engineering-paper/]
David Harley FBCS CITP CISSP
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Small Blue-Green World
Also blogging at: