What is your password policy and is it effective?
Frequent password changes are one of the things many organisations advocate and actively manage by expiring a password so that it has to be replaced.
We are helping a client obtain Cyber Essentials Certification and have been looking at the National Cyber Security Centre (NCSC) website, which has a different viewpoint on passwords.
Password changes are designed to limit the harm that comes from an attacker who knows a user’s password. The obvious answer, therefore, is to make the compromised password useless by forcing the 
legitimate user to replace it with a new one that the attacker doesn’t know. This advice seems straightforward enough.
The problem is that requiring passwords to be changed frequently doesn’t take into account the inconvenience of changing passwords. Password policies frequently require us to use passwords that we find hard to remember. Our passwords have to be as long as possible and as ‘random’ as possible. And while we can manage this for a handful of passwords, we can’t do this for the number of passwords that are required to manage our online activity.
As we are forced to change passwords frequently, the chances are that the new password will be similar to the old one and cyber attackers can exploit this weakness.
Also if the new password is also being used elsewhere, attackers can exploit this too. Any new password is also more likely to be written down in order to help with remembering it and this represents another vulnerability. New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords.
It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.
The NCSC now recommend organisations do not force regular password expiry. They believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.
The NCSC are suggesting organisations think about alternative, more effective system defences that could be implemented in order to detect and prevent unauthorised account use. For instance, using system monitoring tools that present users with information about the last login attempt. This means that they can see if they’re responsible for failed login attempts. If the user is not, this may be a sign that someone has attempted to access their account. Users should be able to easily report this for investigation. Initiatives such as this are far more likely to help keep systems safe, and much more manageable for the user.
Does this make you reconsider your password policy?