Someone on Twitter got upset with me the other day. I know, it’s an unprecedented act yet here I was the target of someone who was vehemently disagreeing with a story I’d shared. The piece in question centred around Britain’s CESG (a government intelligence and security group) and in particular, their advice that regular password changes really isn’t such a good idea.
If you’ve ever worked in a corporate environment, you would have felt the burden of this archaic policy. Every three months you’d start to get warnings about your password approaching its expiry and that you really should get around to changing it. The rationale was that if bad actors had previously obtained the old one, changing it would render it useless. In pure technical terms, this is correct.
However, security controls are about so much more than just raw technology, particularly when you put us soft-matter humans in control of things. What the CESG is saying is that there’s a “usability cost” to doing this, namely that we need to get humans to do something which is actually extremely difficult; remember long, unique passwords. And just as they’re finally committing one to muscle memory, they need to go and change it and start all over again with a new one. Doesn’t matter whether the old one was compromised or not, go and change it “just in case”.
The rotating password approach ticks a compliance box. It’s an easily quantifiable, measurable and enforceable security control… and it’s an absolute usability nightmare. I know from my time in the enterprise that precisely what CESG warns about is common practice; new passwords will be written down, forgotten and at best, adapted ever so slightly from the old passwords. My 14 years in a mandated password rotation corporation would have seen me create 56 separate passwords for the one account and inevitably I took shortcuts when rotating them. And this is really the point – there are social aspects to passwords which are enormously important.
Back to the angry Twitterer, their point was that not rotating passwords exposes you to all sorts of risks, the very risks that lead to mandated rotation in the first place. But that position entirely neglects the behaviour of the humans who actually need to live with the decision and remain effective and secure doing their jobs. When you subject the password reset practice to what CESG refers to as “whole-system analysis”, their conclusion makes a lot of sense:
“the more often users are forced to change passwords, the greater the overall vulnerability to attack”
They go on to recommend that organisations no longer force regular password expiry. It doesn’t end there though; they talk about employing more intelligent system monitoring tools which is good sense regardless of the whole password debate. Regardless, this is both a significant and important set of guidance to come from a body such as CESG and it demonstrates how security is frequently about much more than just the technical controls.