Changing Attitudes toward Passwords
You have probably been warned that you have to change your passwords regularly.
You might even have read the advice from the United States Department of Defense Password Management Guideline, CSC-STD-002-85 (12 April 1985). (The bold type below is part of the original document.)
Section 4.2 User Responsibilities
4.2.2 Changing Passwords
The simplest way to recover from the compromise of a password is to change it. Therefore, passwords should be changed on a periodic basis to counter the possibility of undetected password compromise. They should be changed often enough so that there is an acceptably low probability of compromise during a password’s lifetime. To avoid needless exposure of users’ passwords to the SSO [System Security Officer], users should be able to change their passwords without interventions by the SSO.
ClearPath Forward® systems, both OS 2200 and MCP, provide tools to help you comply with that recommendation, leaving the choice of the password’s lifetime up to your security administrators – typically between 3 and 6 months.
Does it make sense to make “forever” the password’s lifetime?
A 2017 publication from U.S. National Institute of Standards and Technology (NIST) says, “Yes, unless you know it’s been compromised.”
NIST Special Publications 800-63A through 800-63C provide technical guidelines to agencies for the implementation of digital authentication, and SP 800-63B addresses lifecycle management.
In the words of SP 800-63B, Section 10.2.1,
Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
In this recommendation, NIST explains, “A memorized secret is something you know.”
The reason for this change of advice is that between 1985 and now the practice of requiring periodic password changes hasn’t worked out as well as expected. Computer users forced to change passwords regularly – especially if they use a different password for each account, as recommended – have too frequently picked easily guessed passwords or written them down in obvious places (like that Post-it note under your keyboard) or forgotten them and had to call the help desk to reset them. In these cases, your password is no longer something you know.
You have also been warned to avoid using easily guessed passwords. (Surely you don’t use “password” or “letmein”, do you?) Does your password have to contain at least one upper case letter, one lower case letter, one number, and one funny symbol? If you don’t like that password rule, you’ll like another new recommendation from NIST: “No other [than length] complexity requirements for memorized secrets SHOULD be imposed.” An appendix to SP 800-63B explains the rationale:
…online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.
You might now wonder, “Should I recommend updating my company’s password policies to eliminate a requirement for periodic change and eliminate password complexity rules?”
Before you make that recommendation, consider these observations:
- Complexity rules help make passwords resistant to simple attacks that use dictionaries of common passwords.
- Passwords don’t have to be something you know without assistance if you can keep them securely and retrieve them when they are needed. Software for this purpose is readily available (e.g., Password Safe).
- Sometimes you don’t know that your authenticator has been compromised until after a criminal has used it to access your accounts. That’s the “undetected password compromise” in the Department of Defense 1985 guideline.
- If your authenticator is in a compromised userid/password database, there may be considerable elapsed time between the availability of that database and the day some attacker uses it, and changing your password in the interim will thwart the attack.
The ultimate goal is to keep your systems and data safe. Password security is one aspect of protecting them. If you decide to update your password security policy in keeping with the new NIST recommendations for periodic change and complexity, or if you decide to keep them as they are now, ClearPath Forward systems provide options and tools to help you.