Thinking Through The Password Expiration Discussion

The most intriguing debate to come out of last weeks security conferences in Vegas stems from a presentation by FTC Chief Technologist Lorrie Cranor at PasswordsCon 2016, part of the BSides security conference in Las Vegas. Dan Gooding, with ARS Technica, summarized the discussion well; the gist of the presentation seems to question why we should change passwords at some frequency, or aims to challenge the old model of forcing password expirations in systems. We’ve had others in the community like Bruce Schneier agree and Troy Hunt implies agreement in his tweet. In my mind though, I struggle with the idea that it’s in some way bad or ill-advised and that it’s time to do away with it.

https://twitter.com/Jondwatson/status/760607234732675072

The debate seemed to start when Cranor was faced with the need to change her government passwords every six months (across 6 accounts), being a former defense contractor I can definitely appreciate the feeling.

The general message seems to be:

Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking.

Transformative-Based Algorimithic Framework

The basis of the argument stems from a 2010 study by University of North Carolina at Chapel Hill in which they analyzed user accounts to see how users replace / reuse / recreate  passwords when promoted to change them. They created a model / framework to ascertain new passwords from old ones. The UNC report aims to debunk the draconian school of thought around changing passwords (forcing password expirations).

The study was based on known passwords that they derived from a 51k unsalted hash sampling, from which they were able to crack 7,752 passwords. They used the 7.7k sampling to perform their analysis. From this, they found that 41% of the known passwords (7.7k) could be cracked using their algorithm in off-line mode, and 13% of accounts could be broken in 5 guesses when on-line mode (18% in 10 guesses). Personally, I find this interesting for a number of reasons which will make up a post in it of itself later, but consider the existing governance we currently put in place from an IDS/IPS perspective and what we can do to improve, specifically in an online mode.

To achieve this they built a transform-based algorithmic framework that can be employed to essentially guess and break future passwords:

Transform-based algorithms build from the presumption that a typical user will generate her next password by making systematic modifications to her current one (i.e., by applying primitive transforms).

While I enjoyed the read, it begs the question, If we have this new transform-based algorithm to break recreated passwords, why not use it to help in the password recreation process? That seems to be the real debate, or questions we should be asking, how do we deal with the end-user?

It is possible that some will view our study as motivation to employ transform-based proactive password checking for new passwords as they are chosen, and indeed our transform-based algorithm could be used to implement such a proactive password checker. – UNC Study

They themselves present it as an option, but encourage the reader not to use it because it might be too hard to explain to the end-user:

It would not be straightforward to explain to a user the new passwords she must avoid (or why her chosen password is unacceptable), thereby compounding the already considerable frustration that users already experience due to password expiration (e.g., [1, 17]). – UNC Study

That’s a weak argument in my opinion. If we can improve our technology to better account for the inherent weaknesses of depending on end-users, then we definitely should. What I take from this qualification is, “End-users are too stupid to get it.” Is that really the right message?

The Case for Password Expirations

I think the study is spot on, hiighlighting what I think many of us already know. End-users will do little to help themselves, when face to face with security and convenience, convenience will always win. Don’t think anyone would say that’s a new development, but it is definitely great to see objective data to support the theory.

This lends credibility to the intuition that laziness in initial password selection is correlated with laziness in selecting a new password after expiration. – UNC Study

Where I think it falls flat however, is debunking the practice of forcing password expirations.

We believe our study calls into question the continued use of expiration and, in the longer term, provides one more piece of evidence to facilitate a move away from passwords altogether.

What I think the study does highlight is what we all already know, never trust the enduser to be mindful enough to take care of themselves. And we should be using this study to figure out ways to improve the processes and governance in place.

For example some things that could complement password expirations policies could include:

  1. Integration of random password generation and management (via Password Managers / Generators) into our education and awareness programs;
  2. Integration of tranformative-based algorithms to improve the password recreation process;
  3. Improvement of the messaging to the endusers to help alleviate the strains introduced by #2;
  4. More discussion and governance around the use of multi-factor based solutions to augment our access controls;
  5. More discussion on the implementation of deny-all by default type configurations;

I get, and appreciate, the challenges we all face with working with end-users. Unfortunately, that won’t go away, as long as we are dependent on users the problem will persist. But because they will not take care of themselves, doesn’t mean that something should be done away with all together. Especially in an age where there are billions of passwords, and the sort, floating the interwebs.

I don’t believe the real problem is the practice of forcing password expirations; it’s us. Why do people complain? Even those in tech / security? We’re lazy and security affects our  convenience. That’s the real problem, and something we should be focusing on. Not how we do away with the password expirations, but how we place emphasis on the password creation process and the technologies that support the authentication and authorization controls.

I fear the precedent that we will set by saying the password expiration practice is wrong and should be done away with.