Thinking Through The Password Expiration Discussion

The most intriguing debate to come out of last weeks security conferences in Vegas stems from a presentation by FTC Chief Technologist Lorrie Cranor at PasswordsCon 2016, part of the BSides security conference in Las Vegas. Dan Gooding, with ARS Technica, summarized the discussion well; the gist of the presentation seems to question why we should change passwords at some frequency, or aims to challenge the old model of forcing password expirations in systems. We’ve had others in the community like Bruce Schneier agree and Troy Hunt implies agreement in his tweet. In my mind though, I struggle with the idea that it’s in some way bad or ill-advised and that it’s time to do away with it.

The debate seemed to start when Cranor was faced with the need to change her government passwords every six months (across 6 accounts), being a former defense contractor I can definitely appreciate the feeling.

The general message seems to be:

Cranor eventually approached the chief information officer and the chief information security officer for the FTC and told them what a growing number of security experts have come to believe. Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking.

Transformative-Based Algorimithic Framework

The basis of the argument stems from a 2010 study by University of North Carolina at Chapel Hill in which they analyzed user accounts to see how users replace / reuse / recreate  passwords when promoted to change them. They created a model / framework to ascertain new passwords from old ones. The UNC report aims to debunk the draconian school of thought around changing passwords (forcing password expirations).

The study was based on known passwords that they derived from a 51k unsalted hash sampling, from which they were able to crack 7,752 passwords. They used the 7.7k sampling to perform their analysis. From this, they found that 41% of the known passwords (7.7k) could be cracked using their algorithm in off-line mode, and 13% of accounts could be broken in 5 guesses when on-line mode (18% in 10 guesses). Personally, I find this interesting for a number of reasons which will make up a post in it of itself later, but consider the existing governance we currently put in place from an IDS/IPS perspective and what we can do to improve, specifically in an online mode.

To achieve this they built a transform-based algorithmic framework that can be employed to essentially guess and break future passwords:

Transform-based algorithms build from the presumption that a typical user will generate her next password by making systematic modifications to her current one (i.e., by applying primitive transforms).

While I enjoyed the read, it begs the question, If we have this new transform-based algorithm to break recreated passwords, why not use it to help in the password recreation process? That seems to be the real debate, or questions we should be asking, how do we deal with the end-user?

It is possible that some will view our study as motivation to employ transform-based proactive password checking for new passwords as they are chosen, and indeed our transform-based algorithm could be used to implement such a proactive password checker. – UNC Study

They themselves present it as an option, but encourage the reader not to use it because it might be too hard to explain to the end-user:

It would not be straightforward to explain to a user the new passwords she must avoid (or why her chosen password is unacceptable), thereby compounding the already considerable frustration that users already experience due to password expiration (e.g., [1, 17]). – UNC Study

That’s a weak argument in my opinion. If we can improve our technology to better account for the inherent weaknesses of depending on end-users, then we definitely should. What I take from this qualification is, “End-users are too stupid to get it.” Is that really the right message?

The Case for Password Expirations

I think the study is spot on, hiighlighting what I think many of us already know. End-users will do little to help themselves, when face to face with security and convenience, convenience will always win. Don’t think anyone would say that’s a new development, but it is definitely great to see objective data to support the theory.

This lends credibility to the intuition that laziness in initial password selection is correlated with laziness in selecting a new password after expiration. – UNC Study

Where I think it falls flat however, is debunking the practice of forcing password expirations.

We believe our study calls into question the continued use of expiration and, in the longer term, provides one more piece of evidence to facilitate a move away from passwords altogether.

What I think the study does highlight is what we all already know, never trust the enduser to be mindful enough to take care of themselves. And we should be using this study to figure out ways to improve the processes and governance in place.

For example some things that could complement password expirations policies could include:

  1. Integration of random password generation and management (via Password Managers / Generators) into our education and awareness programs;
  2. Integration of tranformative-based algorithms to improve the password recreation process;
  3. Improvement of the messaging to the endusers to help alleviate the strains introduced by #2;
  4. More discussion and governance around the use of multi-factor based solutions to augment our access controls;
  5. More discussion on the implementation of deny-all by default type configurations;

I get, and appreciate, the challenges we all face with working with end-users. Unfortunately, that won’t go away, as long as we are dependent on users the problem will persist. But because they will not take care of themselves, doesn’t mean that something should be done away with all together. Especially in an age where there are billions of passwords, and the sort, floating the interwebs.

I don’t believe the real problem is the practice of forcing password expirations; it’s us. Why do people complain? Even those in tech / security? We’re lazy and security affects our  convenience. That’s the real problem, and something we should be focusing on. Not how we do away with the password expirations, but how we place emphasis on the password creation process and the technologies that support the authentication and authorization controls.

I fear the precedent that we will set by saying the password expiration practice is wrong and should be done away with.


  1. Bianca Wirth on August 9, 2016 at 4:01 pm

    Hi Tony,
    I agree with your interpretation above. I just started running a cyber sec education program and my (obvious) position is to educate is better than to not change passwords at all, and we are focusing on #1 above initially – workplace and home password manager implementation for all staff. I want to emphasize the ‘home’ part is important here – to be useful, password managers need to be accessible/synced across *all* devices otherwise it becomes too painful to try to enter long, randomly generated passwords while typing into one device and looking at another computer screen for the password itself.
    I think it is also important to point out that without a password management tool, end users not only use weak passwords, they re-use the same passwords over and over again (often with quite guessable basic variations), and across multiple sites and applications. So not changing a password and allowing people to habitually re-use basic password variations is simply opening up a hacker’s possibilities e.g. ‘I’ve gotten access to your home network so now all I need to do is try the same password or a simple variation for your company VPN’.

    • Adam on October 12, 2016 at 6:56 am

      I completely agree with Bianca. There are so many issues
      with user’s password management. One of the biggest I’ve come across lately is
      having users sign into social media using their work credentials (mainly
      talking about LinkedIn here). Education is definitely a good route to take, but
      how do we get an effective message across? How, as IT professionals, can we
      make sure users are working safely while working effectively?

      I recently took a workshop
      in business architecture, which included a section on how to effectively
      communicate with team members on risks of new technology. Maybe we need better
      lines of communication with users as the solution? And maybe
      business architecture
      can help us communicate to users why they
      benefit from following the IT guy’s advice?

      Thanks for the post!

    • Tony Perez on October 12, 2016 at 11:22 am

      Hi @biancawirth:disqus

      Sorry for the delay, missed your comment. I agree though with all your points.

      The most frustrating thing I come across is when systems forgo support for password managers, but stick to stringent password creation processes. While I applaud the effort, they fail to see the adverse affect they are having on the consumer themselves.

      The biggest challenge I find myself struggling with on the “education” front is how to do it at a pace that can keep up with the growth of systems. It feels as they are growing at such an incredible clip that it’s impossible to educate fast enough.

      Thanks for stopping by …



Leave a Comment