Should Passwords Ever Expire?

It’s that dreaded time again, your password has expired! So, what do you do? You come up with a new password, but that’s not as easy as it sounds. You have to make sure it has one lowercase letter, one uppercase letter, a number, and a special character. It has to be at least 8 characters long! Oh, and it can’t be one that you’ve used in the past few months!

As a result, here is an 8 character password I made up to meet these standards “GrW6s@#1”. Pretty good, right? Well, I am never going to remember this… So, I am going to write this down on a sticky note and hide it under my keyboard, where nobody would ever expect a password to be kept…

A couple things have happened here. I have an 8 character password that is NEARLY IMPOSSIBLE to remember accurately and now I am unwittingly encouraged to write it down. Further, why should I bother memorizing something that is just going to change in another 30 days?

Frustrated with this experience, I decided to do a little research and find out who came up with this expiration policy that we all accept as best practice. What I came across was interesting! The NIST standards were created by a man named Bill Burr. Bill was a dedicated bureaucrat who helped create several policies throughout his career. Not knowing much about passwords, and also not knowing much about security, Bill was tasked with creating a password policy. In 2003, Bill did just that. Bill created “NIST Special Publication 800-63. Appendix A” and the rest is history. Why do I bring up Bill Burr specifically? Well, because Bill Burr has issued his own apology and statement of regret. He explained that he didn’t know what he was doing at the time, it’s bad policy, and he hopes everyone will forgive him for all the time we’ve wasted! #ForgiveBillBurr

So, Bill Burr has apologized, but then what is the correct way to handle passwords and their expirations?

First, let me introduce the concept of password haystacks. What this means is you want your password to be as difficult to discover as a needle in a haystack would be. The password I mentioned earlier, “GrW6s@#1”, would take an offline attacker about 19 hours to crack. This isn’t very good considering how hard I worked to make that password! Now, let’s try something else… Let’s make a longer password that is easier to remember but is complex as well. I’m going to look around the room and choose 4 random objects as my password “2CoinsMarkerLaptopNapkin”. This easy to remember password will take 33.64 billion trillion centuries for a computer to crack in an offline attack scenario!

Second, the next concept is around complexity. What you’ll notice I did with the password “2CoinsMarkerLaptopNapkin” was to create some randomization. A password that was a common phrase may be easily guessed. I’m a big fan of Star Wars. So, even though the phrase “MayTheForceBeWithYou” is technically long, it may be included in a password cracking dictionary. Further, someone who knows me (even a little bit) may just guess that my password could be that. With that in mind, we must make sure that there is still some randomness in the creation of the pass phrase.

Third, is on the subject of expiration. Why does a good password ever need to expire? Well, there may be a few reasons, but they all center around carelessness and overuse. Some people use the same password for everything! The same password that they use to share the latest cat videos is the same password used for their bank account. This is why you need to have some security education for your users centered around passwords. Back to the question, when should a good password expire? Theoretically, responsibly used, never! A good password never needs to be changed. However, life happens… So, I suggest one year with a good password. So, I would suggest creating a reward system for your users based on length. A 20 character password is good for 1 year, 16-19 characters gives you 6 months, 12-15 is 3 months, and 8-11 is 30 days. The 8-11 password requires symbols, casing, numbers. But, as you use more characters the complexity required of the password also goes down to finally allowing any characters you wish with the 20+ character password. This incentivises the use of better passwords and can be easily accomplished with some 3rd party software. This is known as the stanford model for password management.

Although this has been a discussion about passwords, I think it is important to suggest what makes good login security. Good security is something you know (a password), something you have (a cell phone with an authentication app or hardware key), and something you are (your fingerprint). Those three factors, together, make up a much better security model. Even only deploying one other form of authentication heaps on way more security than you previously had.

So, as it turns out, through years of misinformation we have created passwords that are hard for humans to remember and type but easy for computers to guess. I hope the above information is helpful to your organization and I encourage you to reach out if you have any questions.

If you need help educating your users SkyHelm has a broad range of security experts ready to assist your group with interactive and fun security training. We tailor our information to specific departments as well as general audiences. SkyHelm will also partner with you to develop and deploy a security strategy that fits your needs.