Password Periodic Changes


Password Periodic Changes or Forced Password Change are a long-standing security practice designed to periodically lock out unauthorized users who have learned users’ passwords.

While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. A few peer-reviewed papers that address this issue:

NIST.SP.800-63B (2016) and Microsoft and Bruce Schneier recommend that passwords SHOULD NOT be arbitrarily expired after some interval.

The National Institute of Standards and Technology (NIST) explained in a 2009 publication on enterprise password management that while password expiration mechanisms are "beneficial for reducing the impact of some password compromises", they are "ineffective for others" and "often a source of __frustration__ to users." They went on to encourage organizations to balance security and usability needs, outlining some factors to consider. NIST emphasized that other aspects of password policies may have greater benefits than mandatory expiration, including requirements for password length and complexity, as well as use of slow hash Functions with well-chosen “salt” (a technique to make sure that if two users have the same password they won’t look the same when hashed).

Microsoft's View#

Dropping the password expiration policies.

There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and Multi-Factor Authentication. While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.

This reinforces a larger important point about our baselines: while they are a solid foundation and should be part of your security strategy, they are not a complete security strategy. In this particular case, the small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management. Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards. It simply reinforces that security cannot be achieved entirely with baselines.

Productivity Impact#

Consider is the impact of password expiration on the site’s productivity. Clearly, password handling is an unproductive, “overhead” activity whose impact should be minimized for practical reasons. Yet the traditional password changing process is one of the more challenging tasks a user must face.

Consider what a user named Cathy must do when her password expires. Traditionally, the system will simply demand a new password the moment the previous one expires, and Cathy must provide the new password in order to proceed. Fortunately, some systems make this slightly easier by issuing warnings a few days before the password actually expires.

If Cathy is like most people, she’s unlikely to spend idle moments trying to think up a clever, memorable, but hard to guess password. When faced with the expired password, she must immediately think of one and accurately type it without seeing its text, since most systems don’t like to display passwords. It is particularly difficult for people to memorize text without ever seeing it

As if this isn’t enough of a mental challenge, consider that human short-term memory can, on average, remember between five and nine things of a particular kind: letters, digits, words, or other well-recognized categories. Many organizations require eight-character passwords, which lie on the optimistic end of peoples’ ability to memorize. Moreover, Cathy’s short-term memory may only retain this new password for a half minute, so she must immediately memorize it. Studies show that if Cathy is interrupted before she fully memorizes the password, then it will fall out of her working memory and be lost. If Cathy was preoccupied with a different task when the system demanded a new password, she must sacrifice either her concentration on the critical task or the recollection of her new password.

It’s not unusual for memory to fail and the password to be lost. Then Cathy must contact the site’s help desk and arrange to have her password reset. According to a study by Forrester Research, 20% to 50% of all help desk calls are password related, and these calls cost the site an average of $80 each (see "A digital certificate roadmap" by Forrester Research, 2000). Moreover, the help desk itself can open the site to attack, especially when handling "lost" passwords. In a typical attack, the help desk receives a call from a panic-stricken user whose password doesn't work. The help desk gets the user logged on, and it later turns out that the "user" is really an attacker.

More Information#

There might be more information for this subject on one of the following: