The life of a small- or mid-sized business’s IT manager certainly would never be described as “easy.” These are the people you’ve charged with keeping the company’s computer systems running and secure.
It’s a tough job. So please forgive them for how they’ve decided, and how you’ve allowed them, to set up your company’s password policy.
Why? Because it’s pretty likely that the password policy they recommended actually puts you at greater risk.
What makes an effective password policy? Generally speaking the formula has been pretty consistent over the past decade-plus:
“Create strong passwords, change them frequently, and keep them unique – never duplicate.”
Strong Passwords = Better Security
Unfortunately, the definition of a “strong” password has been far less consistent during that time. It depends on what you’re talking about – strong passwords mean decidedly different things on your smartphone than your online banking accounts. It even depends on who you’re talking to – the definition itself varies considerably depending on who you ask. Even among cybersecurity experts.
Fortunately, there has been a relatively consistent framework that most IT professionals have adopted (or recommended) in business cybersecurity policies. Most experts agree that a strong password has five primary elements:
1) Complexity – more than just a simple word;
2) Character Variation – made up of a combination of letters (upper & lower case), numbers, and symbols;
3) Length – at least 12 characters (some researchers suggest that length is actually more important than complexity, and many are now suggesting 14-15 characters);
4) Unique – you’re not using it elsewhere and you haven’t used it before; and
5) Recent – changed frequently.
Pretty simple, right? Just make that your company’s policy for all passwords your employees use, and you have a strong password policy. Right?
In theory, this is a great idea.
In a perfect world, all of your employees would follow this policy as though they were experienced IT professionals, clearly understanding the risk and appreciating the added protection strong passwords provide.
You minimize the risks inherent in sharing of passwords by your employees (which happens a LOT), and credentials of former employees are quickly rendered useless after their departure.
Your new password policy in place, you can’t help but feel more secure.
You whisper to yourself: “Feel that? That’s cybersecurity.”
You think about what makes it more secure.
Smart people talk about passwords, and the new policy makes something that’s inconvenient – using complex passwords – even more inconvenient. The more inconvenient, the more secure, right?
This is when you start to wake up from the dream…
You can’t shake the feeling that this is all like taking your shoes off at airport security.
As long as you don’t think about it, you might not realize it’s all for show – addressing a problem that no longer exists and was probably an overreaction to a statistically insignificant event.
Your employees are human.
In the real world, not all of your employees are trained IT professionals. They’re simply not going to follow your password policies with the same enthusiasm.
By constantly requiring your employees to come up with new passwords, you’ve actually undermined your whole password policy, and dramatically reduced the effectiveness of your overall cybersecurity program.
Why? Because people are people. Just like you.
Requiring Employees to Change Passwords Regularly Weakens Your Overall Cybersecurity.
I’ve argued for years that requiring employees to regularly create new passwords was more than just another annoyance, but something that led to cutting corners and likely violating other important cybersecurity policies.
Turns out, my gut was right. Creating long, complex passwords every 90 days requires a lot more brain power than people are willing to apply.
Rules requiring these complex, ever-changing passwords changed passwords from something most people accepted as a minor-but-worthwhile annoyance into something everyone hated.
The result = passive resistance:
1. Knowing that passwords will be changed in the near future, users put less effort into complexity, and thus are less likely to use strong passwords to begin with.
2. Even when users come up with complex passwords, when forced to change the password regularly, users slightly modify the original password, minimizing the effectiveness of the change.
It’s called “transformation”: a simple change to the password that usually involves a predictable change to one or more characters. Hackers have figured these out! The number 1 looks like an exclamation point (!) or capital I (I). Their programs factor for that, so no more changing the letter S to $.
3. Users create new passwords that include familiar words, phrases, or names – usually that are easy to social engineer with public information.
4. Users are more tempted to re-use passwords, and find ways to do so even where systems have been designed to limit such behavior (by, for example, reusing the same password for a different login). Re-use of passwords in an era of huge data dumps of hacked credentials means any password re-use is a threat to your company’s cybersecurity. (Hackers have lists of previously used passwords, called “Rainbow Tables,” and rest assured, it contains most of the passwords you currently use.)
5. As passwords that are both complex and regularly changed are difficult, if not impossible, to remember, users may write down passwords at their desk or leave passwords in an unencrypted file.
The Human Factor
If you forget about the human factor in your cybersecurity equation, you’ve put your company at risk.
As you can see, a cybersecurity policy compelling your employees to regularly update complex passwords limits the effectiveness of your password policy and leaves you less secure. Moreover, by ignoring human nature, you may be indirectly causing your employees to violate other important security policies as well.
Why? Because people are people.
Science Agrees – Your Password Policy is Compromised
Still not convinced? Well, how about some science?
“Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.”
“The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit—probably not enough to offset the inconvenience to users.”
A study at the University of North Carolina (Go Heels!) has more details:
“By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like “tarheels#1”, for instance (excluding the quotation marks) frequently became “tArheels#1” after the first change, “taRheels#1” on the second change and so on. Or it might be changed to “tarheels#11” on the first change and “tarheels#111” on the second. Another common technique was to substitute a digit to make it “tarheels#2”, “tarheels#3”, and so on.”
As FTC Chief Technologist—and Carnegie Mellon computer science professor—Lorrie Cranor notes:
“[People] tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Recently, even the National Institute on Standards and Technology (“NIST”) has updated their recommendations on password policies recently, based on the premise that the old standards, which emphasized regularly changing passwords, was based on outdated concerns:
The majority of hacks today don’t involve guessing a password. Instead, hackers use keystroke loggers, phishing attacks, and social engineering to get passwords. More critically, there have been so many major breaches involving huge lists of passwords, hackers are able to simply consult those massive lists, called “Rainbow Tables,” to find the passwords you’ve previously used.
NIST previously explained in a 2009 publication on enterprise password management that while password expiration mechanisms can be “beneficial for reducing the impact of some password compromises,” they are “ineffective for others” and “often a source of frustration to users.” (Emphasis mine)
I can’t possibly put it better than XKCD did in this comic:
Remember that! People accept that they need to use passwords, but that doesn’t mean they like it. Let’s not make it worse.
For more on the new NIST standards, check out this article.
Your Password Policy needs to be about more than helping you feel more secure.
But wait, you think to yourself, if my IT people have known about all of this – that requiring password changes was essentially ineffective, and potentially even dangerous – why haven’t they told me to change things?
Well, it turns out IT managers aren’t immune from external pressure and the need to appear strong. According to FTC Chief Technologist Cranor:
“People have told me, ‘If I were to do something that looks like I was watering down my organization’s security policy,’ people are going to say, ‘Why are you going soft on security here?’ You never have to explain why you’re making things more secure… Removing that requirement would require a lot of explanation.”
Don’t Go Crazy, Changing Passwords Still Has its Place
This is not to say that changing passwords is always a bad idea. Remember, there is a reason why changing passwords became a part of the “strong password” rules in the first place: in certain circumstances, it’s 100% necessary.
Here’s a helpful list of times when you SHOULD require employees to change passwords:
- Passwords were stolen;
- Passwords were shared, even within your office;
- You have reason to believe an account(s) has been compromised; and/or
- An employee leaves the company (even if not disgruntled – leaving login credentials on your system that aren’t being used are a popular entry point for intruders).
When done right, changing passwords is necessary for proper cybersecurity. Just not on a more-frequently-than-yearly basis, absent one of the circumstances I just described.
Now, armed with the facts, it’s time for you to go and update your password policy and make your employees happier.
At the same time.
Strange reality, huh?