Comments on: Password expiration best practices?

Question: Password expiration best practices?

pzarquon — Mon, 27 Feb 2006 11:16:36 -0800

Is there an "industry standard" for password expiration periods?

With the understanding that it depends on the "industry," and ultimately at the company/agency level, can a broad generalization be made that most corporate environments enforce {x}-day password expiration periods -- be it 30 days, 45 days, 60 days, 90 days, etc.? Is there a default starting point for IT security wonks?

There are some commonalities in password policies - longer than 8 characters, mixed characters, don't reuse old passwords, etc., but I've seen a huge range in expiration periods, all the way up to none.

Any security guys here who can point to some acronymed standards body or guideline with a number? Or will it always be, "it depends"?

By: orthogonality

orthogonality — Mon, 27 Feb 2006 11:24:04 -0800

Go empiric. Keep shortening the period until you find > 10% of calls to your company help desk are for password resets. (Then fire the top ten percent most frequent requestors, and repeat, until you'd have to fire someone higher than you in the pecking order.)

By: eriko

eriko — Mon, 27 Feb 2006 11:24:28 -0800

No.

And let me be the first to say 'Expiring passwords doesn't help.'

Here's the problem. Frequently expiring passwords makes it much harder for your users to remember them. This causes two problems.

1) Weak passwords, as they keep trying to come up with new ones, and almost always evolve an "orbit" of passwords.

2) Support costs, as you deal with frequent failed password changes.

I'm with Bruce Schnier on this. Don't expire. As a matter of fact, let them write them down -- as long as they treat that piece of paper as the important piece of paper it is. The rule I use is "That peice of paper is a $50 bill. Would you leave it lying on your desk?"

If you're really paranoid, make them write it on a $50. A far bigger problem than people writing down passwords is weak passwords -- and expiring them doesn't help that, indeed, it makes that problem worse.

You can, via strong passwords, attempt to force strong passwords. Your support costs will climb as you do so, as your users fight to come up with legal passwords, and then forget them. Or, they'll simply give up and write them down on a post-it note.

I'd rather they spend the time to learn one good password a year, rather than try to learn a dozen or more, or worse, come up with a weak password. Heck, if they stick a peice of paper in thier wallet with the strong password, so much the better.

Just as long as they treat that peice of paper like money, it'll be far more secure than most passwords.

By: KirkJobSluder

KirkJobSluder — Mon, 27 Feb 2006 11:29:09 -0800

I think it's past time to recognize that any security system that works in direct opposition to what we know about human attention and memory is fundamentally flawed.

But to answer the question, "it depends."

By: kcm

kcm — Mon, 27 Feb 2006 11:30:56 -0800

Here, a real example of what they said.

By: poppo

poppo — Mon, 27 Feb 2006 11:32:09 -0800

Good points, but perhaps points pzarquon's boss won't be interested in. Doing security at various government agencies i can tell you anecdotally that I have seen password ages range anywhere from 30 to 90 days.

The documentation which most agencies follow as a guideline are the NIST Special Publications, here

I'm trying to find one that speaks to password aging.

By: birdherder

birdherder — Mon, 27 Feb 2006 11:42:00 -0800

Both high tech companies I've worked for have 45 expiry dates on passwords. And my current employer uses the same rules as in kcm's link.

If they add L33t5p34k to the list of dont's I'm going have to go to writing new passwords down.

By: poppo

poppo — Mon, 27 Feb 2006 11:43:51 -0800

Ok, what NIST and FIPS say is simply that you should set a maximum password age, not what that value should be, so as Kirk says, it depends. Depends on the value of the data you need to protect. Really valuable, maybe 30 days, not so much, maybe 60 or 90.

By: Imperfect

Imperfect — Mon, 27 Feb 2006 11:58:59 -0800

Don't expire, and make sure your character length is long enough to allow for pass phrases instead of passwords, pass phrases being easier to remember and more effective anyway (also a Shnier fan).

"I didn't want to tell her, but she made me 13* madder than I had expected!" is a lot more secure than fgH2S~9r, and much easier to remember.

I cannot stand when a web site requires I log in, then disallows passwords over a certain length (like 8 chars, typically) or disallows special characters. You WANT an insecure site? And you're saving what, 150k in password space on a site like Hotmail?

By: raedyn

raedyn — Mon, 27 Feb 2006 12:06:31 -0800

What drives me bonkers here at work is that network access and each peice of software have their own requirements (in one, your login is your full name, in another it's your first initial & last name in full, in yet another it's your first inital & last name truncated to six characters). The passwords expire at different times like our payroll software password is good for 90 days, IIRC, while our financials software requires a change every 30, and a client database requires a change every 45.

It would be great if there was some kind of consistency.

By: shepd

shepd — Mon, 27 Feb 2006 12:17:50 -0800

Never expire is the best policy. Anything else, from my personal experience as a support grunt for a medium sized college, results in sticky notes on the monitor with this month's password on them.

Think of it like this: Imagine if every month you had to get a new lock installed on your door. How quickly would you just start leaving the door unlocked? Or maybe you'd just stick the new key under the mat? Yep, thought so.

And the old "don't reuse old passwords" just means that the new office standard will be "fuckXX" where XX is the number of times the password has changed (or, depending on where you work, it might be one of the other popular passwords, like "god", or "money").

By: Mitheral

Mitheral — Mon, 27 Feb 2006 13:00:23 -0800

"Is there a default starting point for IT security wonks?"

Microsoft has a couple write ups: NT4 days and some MVP

They also have a big white paper on minimum password recommendations when running AD but I'm unable to find it.

eriko writes "Don't expire. As a matter of fact, let them write them down -- as long as they treat that piece of paper as the important piece of paper it is. The rule I use is 'That piece of paper is a $50 bill. Would you leave it lying on your desk?'"

The only problem with this is people share their password. When nameless middle manager replaces his secretary it gives IT a warm feeling to know the window of opportunity for abuse with his password is limited to the expiration period.

By: theora55

theora55 — Mon, 27 Feb 2006 13:41:25 -0800

There have been AskMe threads on password strategies, but I'm to lazy to search. I teach users to use a magic word or phrase, like infinitesummer, and add numbers, like infinitesum09mer. The number can be incremented. The number can be changed for different networks. The only thing the user needs to put on the monitor is the stickie that says 9. Longer passwords are a lot more secure, but not that much more of a pain to type.

Expiring passwords gets rid of account access where the department may not let you know a straff member has departed, or is on leave.

By: Sharcho

Sharcho — Mon, 27 Feb 2006 13:41:25 -0800

In the NSA Security Configuration Guides.

In the guide itself they recommend 42 days for high security, but in the security template it is defined as 90 days.
I think changing passwords more often than 90 days is a hassle.

By: geoff.

geoff. — Mon, 27 Feb 2006 14:27:25 -0800

I agree with everything said, and let me add that instead of time-frame determined password changes -- move it to emplolyee changes within a department, such as the situation Mitheral describes. Whenever an employee leaves a position within a department (workgroup, whatever the buzz word for small organizational unit is) make everyone in that department change their password, this is fairly easy to setup within group policy. I always like the "full name of the girl you lost your virginity to plus the year it happened", so for me it'd be like "katemoss95" -- I see it as less dictionary-hackable and incredibly personal. It also keeps people from sharing passwords and keeps passwords very unique. You might want to corporatize and gender-neutralize the language though.

By: reklaw

reklaw — Mon, 27 Feb 2006 14:48:09 -0800

The worst 'insecure expiring password' I've ever heard of was from a guy who worked at a company where they were required to change their passwords on the first day of each month. He just changed the password to 'january', 'february', and so on.

So, yeah. 'Never expire' isn't the standard, but if you ask me, it should be.

By: CrayDrygu

CrayDrygu — Mon, 27 Feb 2006 15:38:41 -0800

"Never expire" is a bad idea from a security standpoint. To extend the lock-and-key analogy, let's say you moved into a place where the lock had never been changed, and you couldn't change it either. How secure do you feel, knowing everyone who's lived there before might still have a copy?

I think that, for "average" security, 90 days is the best compromise. It's long enough to not be inconvenient, but still makes sure that passwords eventually get changed. Require a mix of letters and numbers, and enforce a password history to avoid the "january, february" thing.

But then you need to educate the users on choosing a password. Don't send out a typical "your password must be a minimum of 8 characters, including both letters and numbers, and must..." email, because nobody will care.

Address them as human beings, not as computer users. Because most of them aren't computer users.

To: All
From: IT Dept
Subj: Choosing an effective password

Everyone,

We realize that choosing a good, easy-to-remember password can be difficult, especially when you are required to change it regularly. The advice in this memo should help you choose passwords that are both easy to remember, and secure enough to keep our company's information safe.

1) Your password can be as long as you want, so feel free to use several words, or even an entire sentence. The phrase "my cat is 7 years old" is a perfectly legitimate password, and is easy to remember.

2) Please use at least one digit (0-9) in your password, as in the above example. This makes it much harder to guess, or to break into.

3) If you need to write your password down, keep it on your person, not attached to your computer. Also, do not write "work password" or anything similar on the note, in case someone else finds it. You will know what it is when you see it.

By: pzarquon

pzarquon — Mon, 27 Feb 2006 17:55:03 -0800

Thanks so much, everyone. Even without a definitive answer, y'all have helped clarify some thinking. I agree that too-frequent changes encourage weak passwords, but I also think "never expire" is a security strategy I'd be hard pressed to justify.

Poppo's link to the NIST guides led me to SP 800-68 on XP configuration recommendations from October 2005, one of the more current references, that recommends a maximum password age of 90 days, which certainly means no longer, but it could be shorter. Hey, it's a start.

There's a lot of good reading via your links and the sites further referenced. It seems, though, that "it depends" is the official answer. Ah well. If it was all in one big book somewhere, you wouldn't need people at all!

By: eriko

eriko — Mon, 27 Feb 2006 19:21:06 -0800

Argh. For the record, it's "Schneier."

I know this. I've got a name people foul up all the time (though, in my case, it is because they think they know how to spell it.)

It was early, I wasn't fully caffinated. That's my excuse.

By: shepd

shepd — Tue, 28 Feb 2006 09:29:10 -0800

Cray Drygu... you're not FORCING the people to take someone else's account and password and keep the same account and password the same. They have the option to change the password (in fact, it should force them to set a new password ONE TIME) and one would HOPE they have their own private username. :-) Think of it like an apartment which gives you the freedom to install your own lock when you move in.

But, if I were back where I was changing my password every 90 days, I love reklaw's idea. To comply with your security, I'd change it in january to january2006. And then march2006, etc, etc. And, with that mentioned, I wonder how many staff where I worked actually did that for real. I bet the number was pretty high.

[Did I mention that during that regime of working password support... I forgot MY OWN password during one of the hundreds of password changes I had to do? Lucky for me I worked password support with more than one person. Yes, more than one person for a single college... on password support... over 30 day password changing policies. *sigh*]