I recently overheard a colleague mention that, in his opinion, the best form of password security for their enterprise is to not enforce monthly or quarterly password changes for their employees. His reasoning? Enforcing tough passwords and forcing your employees to change them periodically often forces the employees to write down their passwords (even sometimes posting them on a sticky note attached to their monitors or desks). This, in his opinion, is more of a security risk than not enforcing periodic password changes.
At first, I thought that this is one of the craziest ideas that I had ever heard. This goes against one of the most basic security principles out there…make your passwords tough and change your passwords often.
Upon further thought, I decided that the logic behind this idea makes some sense. Allowing your employees to maintain their passwords for an indefinite amount of time may help to alleviate those people that insist on writing down their passwords. This being said, I do not think that this is a viable solution. Whether or not you force your employees to change their passwords or not, there will always be those that like to write them down. In addition, the risk that you would take in allowing indefinite access through a compromised account would outweigh the risk of someone reading a password.
Brian,
I agree with you that the risk of allowing indefinite access through a compromised account would outweigh, to some extent, the risk of someone reading a password and having limited time access until a password change is required. If someone read a password on a sticky note taped under a keyboard, that individual has already shown that they have physical access to a system. Once an individual has already gained physical access, it is very hard (or near impossible) to adequately secure that system.
In my new book, "The Executive MBA in Information Security", available at amazon.com and bn.com, I discuss the importance of strong passwords and changing these passwords on a routine basis. Here are some recommendations that I give:
1. A password should be at a minimum 8 characters long and should be changed at least every 30 days. I recommend that privileged users (such as administrators) should have at least 14 character passwords.
2. Every password should be unique and complex. The password should have a mixture of upper case/lower case letters, numbers, and symbols or special characters. Passwords should not be found in dictionaries or be hybrids of dictionary based words.
3. 'Sing' your password - take a phrase in your favorite song and write it down. Use a cipher key that you can remember such as changing the first letter of every word in the phrase to a capital letter, change all o's to zeros (0), change all i's to exclamation points (!), change all s's to dollar signs ($), etc. (Note: whatever cipher you use, you make the code up yourself and it should be something easy for you to remember when entering your 'pass phrase'.)
An interesting article that discusses password strengths and the rationale behind changing passwords on a frequent basis along with an actual password strength tester can be found here: http://infoworld.com/print/76437
I hope this information is useful.
Jay Trinckes
CISSP, CISM, C-EH, NSA-IAM/IEM, MCSE-NT, A+
Senior Information Security Consultant
CastleGarde, Inc.
Posted by: Jay Trinckes | 02 November 2009 at 10:32
If writing down passwords was the only aspect of risk to be concerned about, this would indeed be a good approach. But the mandate to periodically change passwords is meant to accomplish things like making sure only the legitimate owner of the account knows the password ("shoulder surfers", who picked up the pw while the legitimate owner typed it in, would be thrown off by the change). The same is true with situations where the sys admin changes a pw and communicates it to the legitimate user - unless that user is forced to change it, the sys admin knows it too. And finally, not kosher, but a frequent practice: people often "share" pw's with the intent of the shared usage being temporary in nature (e.g. during vacation). Mandatory pw changes ensure that the people the pw was given to "temporarily" indeed can no longer access the system.
Posted by: Hubert Kay | 02 November 2009 at 20:59
What the colleague overlooked is that it matters which threat you need to counteract most. If it's the prying eyes of co-workers, then a post-it note due to too much required complexity can cause your password-change control to fail. However, if your users all have internet-facing access, against which a botnet can exert brute-force password guessing, a post-it note safely kept within the office doesn't seem quite so hostile in comparison.
Posted by: Gary Dobbins | 03 November 2009 at 06:38
I also had the exact same response from a senior member of management in response to a Security Audit.
It seems crazy to sacrifice your corporate security, because people might write it down. Surely one of the other basic principles of password security is, "don't write it down". So if the 1s principal of not writing it down is enforced, then you wont face this issue.
Posted by: Bob | 06 November 2009 at 09:41