Password expiration policies have become a controversial issue of late. One of our clients is currently being audited for SOX compliance and we were asked to justify our policy of not enforcing password expiration. Here's the justification for our approach.
The notion of regularly changing passwords was introduced in the 1970’s by the United States Department of Defence (DoD). The idea was to make passwords expire before their mainframes could crack the hashes. This then got incorporated into a bunch of compliance regulations including ISO27K2, PCI-DSS, and Hitrust which in turn meant that the DoD policy was propagated to environments it was not meant to address. Password expiration policies then became mainstream for 4 decades. In all this time, nobody actually proved the extent of protection offered by a password expiration policy. It was just accepted without careful consideration. The result is a stale policy that is no longer effective and actually dangerous. A “best practice” based on experience 40 years ago with non-networked mainframes in a DoD environment is hardly a match for today’s systems, especially with the advent of the Internet!
In 2010, researchers from the University of North Carolina obtained the cryptographic hashes to 10,000 expired accounts that once belonged to university employees/students who had been required to change their passwords every 3 months. The data included all passwords that had been changed over time. By studying the data, the researchers identified common techniques people used when they were required to change passwords. The researchers found that most people simply took their old passwords and changed it in some small way to some up with a new password. These small changes are known as transformations.
The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.
A separate study from researchers at Carleton University provided a mathematical demonstration that frequent password changes hamper attackers only minimally and not enough to offset the inconvenience to end users.
Based on the above research, the US National Institute of Standards and Technology (NIST) and the UK National Cyber Security Centre (NCSC) both concluded that mandated password changes are ineffective and counterproductive. In 2016 their latest guidelines recommended that password expiration be eliminated. Microsoft also made the same recommendation in 2014.