In my previous blog post, I talked about the password standard at the University of Calgary. The password standard dictates that passwords on our user’s IT accounts must follow certain rules. Notably, length and complexity, but also that they must be changed once a year. In the same blog post I also mentioned that I receive feedback on our Password Management tool quite regularly, and the feedback is often about our password standard. The second most popular piece of feedback I get is why we force a password change every year.
Arguments against password expiration are quite varied, and I agree with all of them:
- If an attacker gets your password, they tend to use it right away, a year is too slow.
- If an attacker gets a weak password hash, they can crack it faster than a year.
- If an attacker is guessing for common passwords, they will get it faster than a year.
- Forcing password changes results in user’s picking weaker passwords.
- A sufficiently long password is virtually uncrackable.
- Mathematically there is more entropy in adding one additional character to a password instead of changing it yearly.
The great thing about a university is we have well educated users, and all this feedback is certainly accurate. However here is the rational:
1. We have to
This one is really boring. We are mandated by our security office to do yearly password changes to comply with our provincial auditors. This one is boring. Next.
2. Strengthen your password on our side
This is my favourite from a technical standpoint, and perhaps one our user’s can respect.
Once a password has been set, we lose access to it. We can’t see your password, and we can’t change anything about it. This means everything about it is set in stone until you change it. When you change it, we get a chance do the following:
- Enforce our latest standard on length and complexity.
- Hash (obfuscate) your password with the latest and strongest algorithms.
By doing yearly password changes, we can apply these changes invisibly while you predictably change your password on your schedule.
3. Not all attackers are foreign
We like to think of people trying to steal our passwords as foreign hackers trying 24/7 to get to our information using sophisticated techniques. And that is true, that does happen.
However, another vector of attack is simply handing your password over to your friend. You trust them now, but will you remember you gave out your password a year ago when your relationship changes? It is very common for the scenario to play out where you give your password out (which you shouldn’t) and later your friend isn’t so friendly anymore. A password change invalidates those old passwords so it is no longer a concern.
4. Hashes don’t last forever
If an attacker got our password database, we didn’t exactly give them the keys to the castle – at least not yet. Our passwords are salted and hashed, however they are not invulnerable. If a password takes 30 years to crack, then changing it once a year slows that down, even a little bit. The yearly password change was actually a compromise to reduce the length of passwords users have to use.
5. It shouldn’t matter too much
How do you remember a password? I use a offline password manager that stores the encrypted database on Dropbox. When I change my password, I update it there and I’m done. I do have to change the password my e-mail client’s store, but I only have two of those and they prompt me for the new password when they detect the old one no longer works. It all takes about two minutes. Eventually the muscle memory in my fingers learns the new password as I make an effort to type it out as I use it about a hundred times a day; However for the average user at the University of Calgary they can probably get by from copying the password from their password manager. A little clunky, but worth it for the security of a potentially very powerful account.
It is hard to remember new passwords. It is almost a ritual to type the wrong password into a password field a couple times after changing it. So I would recommend…
- Using a password manager
- Using a pass phrase, such as four or five words that form a gibberish sentence
- Helping along the cause of abolishing passwords entirely…
Opinions in this blog related to my employment at the University of Calgary are my own, and do not represent the interests of the University of Calgary.