Changing Passwords… maybe not so good.
For a long time, I have been an advocate of periodic password changes. That is about to change. I have been in the security industry for nearly 18 years. Changing passwords on a regular basis is something we are all used to doing, and something we hear a lot about. But I am now seeing a pattern in password behavior and it is not really a good thing.
There are many policies that govern what an acceptable password should consist of, such as, upper and lower case letter, numbers, and in many cases, an extended character. When users are forced to change passwords frequently, people tend to choose passwords that are easy to remember and this converts directly to passwords that are easy to guess and subsequently compromise. Those that utilize passwords for extended periods of time (years) tend to have very complex, large, passwords as opposed to their counterparts. Not to mention, the stricter the password policy, the higher the rate of subversion towards the policy. For instance, monthly password changes translate directly to: simple passwords, passwords re-use where only one character changes, or passwords being written down and stored in insecure locations around desks or cubicles, etc. (Example: MyPassword1& will probably be replaced by MyPassword2& and next quarter will become MyPassword3&).
With this in mind, why do we frequently change passwords?
I am sure we will all agree, in the simplest of terms if a password is compromised by an attacker they now have access to your network as long as your password is valid. Thus, changing your password on a regular basis will eventually thwart this attack, correct? And once the password is changed, the attacker will no longer have access. Now let’s look at this in depth.
The problem with this, is that it is assumed that the attacker is passive attacker or an eavesdropper and that never alert you they are there. They sniff, view, and collect data what you are doing for an extended period of time. Actually, what really happens in the vast majority of attacks or compromises is that the attacker is far from being passive. If a bank account is compromised, funds are transferred immediately, same with credit cards or identity theft. In this scenario, changing your password periodically is not going to be of any benefit what-so-ever. And technically speaking, you are going to change your password immediately after a breach has occurred anyway.
Passive attacks usually occur in corporate environments, where being stealthy is a requirement. But this type of attack is not very likely to rely stolen or compromised credentials. Most attacks may start that way, but in most cases backdoors will be installed, and additional accounts will usually be created by the attacker for their own use during the length of the compromise. Once again, forcing periodic password changes is not so important. If a breach is detected, everyone will change their passwords anyway, once the attacker is found and removed.
So, if changing your password periodically is of no real benefit, and if a compromised account will result in the immediate change of a password. And while frequent password changes have a direct correlation to weaker passwords over time. Then why do we continue to do it?
If you are dead set on frequent password changes, and much better method of obfuscation would be to create a multi-tier security model.
Create three email accounts. Each with its own level of security.
Tier 1: Trusted Financial Matters with a strong complex password
Tier 2: Family, Trusted Friends, Less Trusted Financial Institutions, with a different strong password
Tier 3: Social Networks, Risky Online Merchants, New or Unknown People with yet a different strong password.
If your social network (tier 3) is compromised, your family, friends and financial accounts (tiers 1 & 2)are still secure. Likewise, if a financial institution leaks data, the remaining tiers are secure.
When it comes to password complexity, the longer the better is the general rule to live by. Keep in mind passwords made up of upper, lower, numbers and symbols are difficult to remember. Systems that support long passwords, passphrases are preferable.