The life of a small- or mid-sized business’s IT manager certainly would never be described as “easy.” These are the people you’ve charged with keeping the company’s computer systems running and secure.
It’s a tough job. So please forgive them for how they’ve decided, and how you’ve allowed them, to set up your company’s password policy.
Why? Because it’s pretty likely that the password policy they recommended actually puts you at greater risk.
What makes an effective password policy? Generally speaking the formula has been pretty consistent over the past decade-plus:
“Create strong passwords, change them frequently, and keep them unique – never duplicate.”
Strong Passwords = Better Security
Unfortunately, the definition of a “strong” password has been far less consistent during that time. It depends on what you’re talking about – strong passwords mean decidedly different things on your smartphone than your online banking accounts. It even depends on who you’re talking to – the definition itself varies considerably depending on who you ask.
Fortunately, there has been a relatively consistent framework that most IT professionals have adopted (or recommended) in business cybersecurity policies. Most experts agree that a strong password has five primary elements:
1) Complexity – more than just a simple word;
2) Character Variation – a combination of letters (upper & lower case), numbers, and symbols;
3) Length – at least 12 characters (researchers suggest that length is more important than complexity, and many suggesting 16 characters minimum);
4) Unique – you’re not using it elsewhere and you haven’t used it before; and
5) Recent – changed frequently.
In theory, this is a great idea.
In a perfect world, your employees would follow this policy as though they were experienced IT professionals, understanding the risk and appreciating the added protection strong passwords provide.
You minimize the risks inherent in sharing of passwords by your employees (which happens a LOT), and credentials of former employees are quickly rendered useless after their departure.
Your new password policy in place, you can’t help but feel more secure.
You whisper to yourself: “Feel that? That’s cybersecurity.”
You think about what makes it more secure.
Smart people talk about passwords, and the new policy makes something that’s inconvenient – using complex passwords – even more inconvenient. The more inconvenient, the more secure, right?
This is when you start to wake up from the dream…
You can’t shake the feeling that this is all like taking your shoes off at airport security.
As long as you don’t think about it, you might not realize it’s all for show – addressing a problem that no longer exists and was probably an overreaction to a statistically insignificant event.
Your employees are human.
In the real world, not all your employees are trained IT professionals. They’re simply not going to follow your password policies with the same enthusiasm.
By constantly requiring your employees to come up with new passwords, you’ve undermined your whole password policy, and dramatically reduced the effectiveness of your overall cybersecurity program.
Why? Because people are people. Just like you.
Requiring Employees to Change Passwords Regularly Weakens Your Overall Cybersecurity.
I’ve argued for years that requiring employees to regularly create new passwords led to cutting corners and likely violating other important cybersecurity policies.
Turns out, my gut was right. Creating long, complex passwords every 90 days requires a lot more brain power than people are willing to apply.
Rules requiring these complex, ever-changing passwords turned the password policy from an accepted minor-but-worthwhile annoyance into something everyone hated.
The result = passive resistance:
1. Knowing that passwords will be changed in the near future, users put less effort into complexity, and thus are less likely to use strong passwords to begin with.
2. Even when users come up with complex passwords, when forced to change the password regularly, users slightly modify the original password, minimizing the effectiveness of the change.
It’s called “transformation”: a simple change to the password involving a predictable change to one or more characters. The number 1 looks like an exclamation point (!) or capital I (I). Cyber criminals factor for that, so no more changing the letter S to $.
3. Users create new passwords that include familiar words, phrases, or names – becoming easy to social engineer with public information.
4. Users are more tempted to re-use passwords and find ways to do so even where systems have been designed to limit such behavior (by, for example, reusing the same password for a different login). Re-use of passwords in an era of huge data dumps of hacked credentials means any password re-use is a threat to your company’s cybersecurity. (Hackers have lists of previously used passwords, called “Rainbow Tables,”and rest assured, it contains most of the passwords you currently use.)
5. As passwords that are both complex and regularly changed are often impossible to remember, users may write down passwords at their desk or leave passwords in an unencrypted file.
The Human Factor
Forgetting that your cybersecurity policies and procedures are executed by humans will put your company at risk.
A cybersecurity policy compelling your employees to regularly update complex passwords limits the effectiveness of your password policy and leaves you less secure. It does so because it forgets that the people using the passwords are human.
Science Agrees – Your Password Policy is Compromised
Still not convinced? Well, how about some science?
“Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.”
“The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit—probably not enough to offset the inconvenience to users.”
A study at the University of North Carolina (Go Heels!) has more details:
“By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like “tarheels#1”, for instance (excluding the quotation marks) frequently became “tArheels#1” after the first change, “taRheels#1” on the second change and so on. Or it might be changed to “tarheels#11” on the first change and “tarheels#111” on the second. Another common technique was to substitute a digit to make it “tarheels#2”, “tarheels#3”, and so on.”
As FTC Chief Technologist—and Carnegie Mellon computer science professor—Lorrie Cranor notes:
“[People] tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Recently, even the National Institute on Standards and Technology (“NIST”) has updated their recommendations on password policies. The updated policies are based on the premise that the old standards, emphasizing regularly changing passwords, was based on outdated concerns:
The majority of hacks today don’t involve guessing a password. Instead, hackers use keystroke loggers, phishing attacks, and social engineering to get passwords. More critically, there have been so many major breaches involving huge lists of passwords, hackers are able to simply consult those massive lists, called “Rainbow Tables,” to find the passwords you’ve previously used.
NIST previously explained in a 2009 publication on enterprise password management that while password expiration mechanisms can be “beneficial for reducing the impact of some password compromises,” they are “ineffective for others” and “often a source of frustration to users.” (Emphasis mine)
I can’t possibly put it better than XKCD did in this comic:
People accept that they need to use passwords, but that doesn’t mean they like it.
For more on the new NIST standards, check out this article.
Your Password Policy needs to be about more than helping you feel more secure.
But wait, you think to yourself, if my IT people have known about all of this – that requiring password changes was essentially ineffective, and potentially even dangerous – why haven’t they told me to change things?
Well, it turns out IT managers aren’t immune from external pressure and the need to appear strong. According to FTC Chief Technologist Cranor:
“People have told me, ‘If I were to do something that looks like I was watering down my organization’s security policy,’ people are going to say, ‘Why are you going soft on security here?’ You never have to explain why you’re making things more secure… Removing that requirement would require a lot of explanation.”
Don’t Go Crazy, Changing Passwords Still Has its Place
This is not to say that changing passwords is always a bad idea. There is a reason why changing passwords became a part of the “strong password” rules in the first place: in certain circumstances, it’s 100% necessary.
Here’s a helpful list of times when you SHOULD require employees to change passwords:
- Passwords were stolen;
- Passwords were shared, even within your office;
- You have reason to believe an account(s) has been compromised; and/or
- An employee leaves the company (even if not disgruntled – unused login credentials are a popular entry point for intruders).
When done right – or more simply, when done for an actual reason – changing passwords is necessary for proper cybersecurity.