What should your company’s change password policy be?

Microsoft’s April 24 decision to remove the “Maximum Password Age” (forced expiration) default from Microsoft Windows has sparked a lot of discussion. The default (and recommended) maximum password age had been 45 to 60 days, depending on the OS version. Removing the forced expiration default follows the recent National Institute of Standards and Technology (NIST) recommendation not to require a password change until you know a password has been compromised.

The thinking behind Microsoft’s move is that passwords are usually compromised through means other than password guessing/hacking, which is what mandatory expirations are intended to minimize. Worse, forcing people to change passwords frequently encourages them to re-use the same passwords or patterns across multiple websites. Most passwords are stolen through phishing attacks, and a forced password change won’t prevent that.

Should you follow NIST’s and Microsoft’s lead and eliminate forced password expiration policies? I don’t think so. Here’s why.

Compliance still requires password expiration

I’ve yet to meet the organization that isn’t subject to some sort of cybersecurity regulation or law (PCI-DSS, HIPAA, SOX, NERC). All these regulations require automated, frequent password changes. Good luck if you believe NIST’s new password recommendations. You’ll be trapped into the old recommendations until the regulations change.

You rarely know when a password is compromised

My biggest gripe with the “don’t change your password unless you know it is compromised” recommendation is that most people don’t know if their password has been compromised. According to every “dwell time” datapoint I’ve read, the average hacker has full access to the network and its passwords for many months before they are discovered.

Troves of hundreds of millions of passwords, some compromised years prior, are often found out on the dark web or a “pastebin” website. Many of those passwords are still good because many people don’t change their passwords. That fact alone should be seen as advertisement for mandatory password changes.

By forcing users to periodically change their passwords on a routine basis, the likelihood that any compromised password attack or dump has it is minimized. This is the biggest reason, after compliance, to have an automatic password expiration.

Forced changes might not increases password reuse

Again, forced password changes are believed to increase the chances that people will re-use passwords or patterns across multiple websites and services. I haven’t seen any data from NIST showing that it is actually the case. The data might exist, but I can’t find it after years of trying.

When sites periodically require you to change your password, rarely does a person then change every password on every website. What usually happens is the user changes that one password and does nothing to the other sites. This is especially true on corporate networks. When an organization requires more frequent password changes than most other sites, it virtually guarantees that it will have either a unique password or one that is shared across fewer websites. Not requiring password changes makes it easier, not harder, for someone to share passwords among websites.

NIST even conjectures that more complex passwords make it more likely that people will re-use them across multiple websites. Again, I’ve not seen data to support that, and I’m not sure it’s even possible. If you like to use long or complex passwords as a default, you’ll find that what counts as long and complex varies between websites. Some websites accept eight- to 12-character lengths. Other do not accept any characters except for letters. Some websites do not accept anything but numbers and letters. Good luck if you want to re-use your long and complex password across multiple sites.

Password guessing and cracking still happens

Even though password guessing/cracking is not as popular as it once was, it still happens. It still leads to tens of thousands of compromises. Myriad malware programs can guess against people’s and organization’s passwords. These bots guess against Windows Remote Desktop Protocol (RDP), Putty, VNC, SSH and online logon portals every second of every day. All can be defeated by using long or complex passwords, but the fact is all the compromised victims didn’t. By requiring forced password changes, it gives the guesser/cracker less time to get to the plaintext password, regardless of the password’s length or complexity.

As long as password guessing or cracking happens, what’s the harm in offsetting the risk? Want to change my mind? Show me data that says forced changing of passwords creates far greater risk. I have not seen that data, but I have read about tens of thousands of people being compromised by password guessing bots.

I can steal your password via email

I can construct an embedded link in an email that, if I can trick you into clicking on it, instructs your browser to send me your Windows password hash. There are ways to prevent this, but most organizations do not implement the correct defenses, especially with mobile users moving off their network on a regular basis.

It doesn’t send me your plaintext password. It sends the Windows NTLM challenge response handshake, from which many hacking tools can extract your password hash. Your password hash can be replayed in other types of attacks or it can be cracked to your plaintext password.

Eight-character password hashes are basically child’s play to crack, no matter what their complexity. I’ve seen many demonstrations of 12-character password hashes broken, and even a few 16-character passwords broken. None of them were super complex, but they did look like a representation of the average password I’ve seen in most environments. As long as I can trick you into clicking on that embedded link and get your password hash, not periodically changing passwords is an elevated risk.

How often should you change your password?

Microsoft officially did not recommend never expiring passwords. They left it up to the admin. It’s a subtle difference.

If you need to comply with a regulation that requires automated password expirations, then this is a moot point. You’ve got to do what the regulation requires. If you can choose what maximum password age is best for your organization, it depends on the organization’s risk acceptance. I feel that forced changes every 30 to 45 days is insane. At that short of an interval, you really are asking for re-use problems. The average organization probably does every 90 days, and to me (without any real data to show me the right delineations), that feels appropriate for organizations that want significantly less risk than most organizations. I can even see organizations with average risk profiles going 180 to 365 days without forcing a password change.

Getting rid of all forced password expirations in all organizations is a recipe for more compromises, at least until someone can show me real-life data that says otherwise.