Managing Network Security
Change Your Password Do Si Do
Introduction:
When I write an audit report, I generally want a basis against which
to make judgements. I sometimes use well-established standards such as the
GASSP or BS7799 and I sometimes like to call my conclusions "opinions
based on experience and data in comparable industries" or some such
thing, but most of the time, I prefer a more scientific basis.
For many years I have been seeking a scientific basis for the well-worn
policy of changing passwords on a regular basis. Recently, I have come to
believe that, except in some special cases, this is not a beneficial activity
for information security and that it is devoid of a scientific basis.
Now I know that this goes against many of the standards we have seen
published and that it may even be counter to much of the training many of
us have received, but I hope to present a convincing viewpoint in this article.
As always, I welcome counterpoint.
Do Si Do:
In a square dance, you expect to have the caller occasionally call out
"change your partner", and as a dutiful dancer, you change partners.
This typically happens 4 times in a dance or some multiple of 4 times
with the end result of getting your partner back at the end of the
dance. The objective is to have fun and meet new people or something
like that. So if the goal is to have variety, changing partners or
passwords is probably a fine idea. But what if the goal is to improve
the effectiveness of password-based protection. Is it beneficial to change
passwords more often or not?
In order to answer this question, we have to look at a lot of other issues,
so I will start with the usual reasons, presenting a reason and a counterpoint
at a time:
- In the limit, if we change passwords on each use, someone watching
sessions cannot reuse an old password. Its very true, but if
we change every other use, watching us type a password once grants access
to the attacker who can then plant a Trojan Horse in our system for unlimited
reentry. We may detect the failure on the next try, but more likely, we
will simply go onto the next password figuring we made a typo. My point
is that, just because there is a feature "in the limit", doesnt
mean that coming closer to the limit without reaching it is actually an
advantage.
- Changing passwords periodically limits the amount of time that an
attacker can access an account if they have guessed a password. True
again, but again not very important. Gaining access one time is enough
for most competent attackers to plant Trojan horses to allow for reentry.
For the vast majority of real computer systems, a single entry is all that
is needed and changing passwords periodically does nothing to protect against
this. Allowing entry for only a few days is almost certainly enough for
most attackers to gain most of what they want to accomplish.
- Changing passwords periodically makes password guessing harder.
Sorry, but I have to part ways with this point. In fact, for reasonably
hard to guess passwords, there is no substantial advantage in terms of
the time required to make a successful guess provided by periodic changes.
This is true until the number of passwords that can be guessed between
changes becomes a significant portion of the total password space. As an
example, if I use 8 symbol passwords generated randomly from a space of
100 possible choices per symbol, the number of passwords possible is 1016.
On my PPro 200 personal computer, my simple password-guessing program can
exhaust all 3-symbol passwords in about 3 minutes. This means that it would
take about 5 hours for all 4-symbol passwords, 16 days for all 5-symbol
passwords, more than 4 years for all 6-symbol passwords, 400 years for
all 7-symbol passwords, and 40,000 years for all 8-symbol passwords. Even
if we set 1000 computers working on the problem 24 hours a day, 7 days
a week, it would still take 40 years to try all passwords. Even at this
blistering pace, after a full year of guessing, the changes of entry would
only be 2.5% higher than they were on the first guess. With this amount
of resource applied to attacking a computer system, password guessing seems
like a feeble way to go about it.
- An insider with special knowledge about a person might be able to
guess enough passwords to break into their account if the password werent
changes often. It turns out that all of the factual information that
you could gather to help you break into a persons computer account
could be guessed in short order. Lets say we can gather a list of
10,000 facts that could be combined in 100 different ways per fact to generate
guesses at passwords. That comes to 1 million guesses about the
same number of guesses required to try all 3-symbol passwords in the example
above. So unless they change passwords every 3 minutes, we will be able
to try all of these guesses before the password changes.
- If people use poor passwords, changing them more often may have
a greater impact on the guessing issue. Of course this is true, but
it is not so much a matter of changing passwords more often as it is a
matter of choosing hard-to-guess passwords in the first place. It turns
out that the effect of password quality on the amount of time to guess
is very sensitive. This then also means that easily guessed passwords tend
to be very easy to guess. In many experiments, it has commonly been found
that a password is either revealed very quickly by guessing or only revealed
through search times probabilistically in line with the likelihood of exhausting
the search space. In other words, almost all easily guessed passwords are
guessed by automated password guessing programs in the first few minutes.
On a typical system, more passwords are found over the first three minutes
than over the next thousand hours. So poor passwords are found too soon
to make periodic password changing effective, while other passwords are
typically not found for time periods far in excess of the typical password
changing times.
- Changing passwords is like changing cryptographic keys, and we must
change cryptographic keys often according to cryptographic experts. While
the latter part of that statement is correct (the need to change crypto-keys),
the former part is not normally right. The reason we change cryptographic
keys fairly often is that the workload to find the key given a substantial
volume of cyphertext (the information encrypted by that key) goes down
as we use the key for more information. It is assumed that the attacker
is watching all transactions. In the case of passwords, if the attacker
watches even one transaction, the key is instantly revealed because it
is sent in plaintext. Thus the valid reason for cryptography is not valid
for passwords.
So, at least based on these points, I conclude that the case for changing
passwords periodically is a weak one except in special cases that
I will discuss later.
Benefits of not changing passwords:
I am generally an easy-going sort of person and, if there were no negatives
associated with periodic password changing, I would probably just let it
ride. I might write reports that said "while there is no published
basis for this activity, it is generally believed to be useful and is not
known to be harmful" or some such thing. Unfortunately, I have been
forced to change passwords more than once in my career last week
in fact and so I have come to find that there are indeed negatives
associated with the activity. They are not world-shaking, but here are some
of them nonetheless:
- My memory is getting worse: When I was young, I could remember
an astounding number of seemingly random things - like my Tops-10 group
and user account numbers and BW0Js account name. But now days every
time I have to remember something new, it seems like I have to forget something
else in order to make room. I also find it hard to forget my old passwords
once I go to the trouble of remembering them. I seem to recall j9wx8&g$
from more than 20 years ago. The last thing I want in my old age is to
recall 50 years of new passwords changed every month because of some regulation.
- Many people write the changes down until they remember them: If
you have enough passwords to remember, chances are good that you have written
some of them down somewhere at some time. Most people have to write down
a new password in order to remember it. The more often we change them,
the larger portion of the time we have them written down somewhere.
- They have to be redistributed: I know there is probably a regulation
against it, but I use the same password on a lot of my computer systems.
I know if someone gets into one, they can get into the rest
but since they are physically isolated it takes more than just a password
to get into them. Maybe more importantly, I can get into all of them without
having to remember hundreds of random numbers or write them all down. Whenever
I change one of my passwords, I have to change scores of them. In one case,
I have a network of 50 computers that I manage. If you make me change all
of those passwords once a month, Im not likely to want to manage
the network for very long. I know there are other ways, but you get my
point.
- It takes time and overhead: It turns out that there is a real
cost in time and overhead with creating such rules and enforcing them.
Unless the benefit outweighs the cost, its not a very good investment.
- Denial of service and service calls increase: While your company
probably has extra people working the help desk at all hours just waiting
to take calls, you may be surprised to know that my company doesnt.
We prefer to minimize the time and effort wasted on such things by designing
our operations so as to prevent such calls whenever possible. Every time
you mandate a password change, you are asking for service calls. Many service
organizations I talk to identify password resetting as a major item that
consumes their time. Can there be any doubt that6 this increases with the
frequency of password changes?
- Once I find a good one I want to keep it: If you ever managed
to memorize S*7y&p[+1M, and got to the point where you could
type it quickly and easily whenever you had to, it would probably be a
pretty good password (although this particular one is now tainted by its
widespread publication). It would probably take you quite a bit of effort
to get to that point and it seems like a real pity to have to waste all
that time and effort again without a good reason. When I have to keep putting
in new passwords, I tend to make them easier to guess each time because
its not worth the effort to remember a really good password if you
just have to go and change it again a month or six later.
- Many people get a false sense of security: In a lot of cases,
users come to believe that they are better protected because they change
passwords more often. They figure that they are doing their part
and often that this fulfills their responsibility to this issue.
We in information protection have so little in the way of resources that
it seems a terrible waste to do anything like this unless there is a good
reason. Given the option, I would certainly select some other "one
thing" to have every employee do on a regular basis. Perhaps backing
up their systems should have a higher priority?
There are, no doubt, many other reasons for not changing passwords on
a regular basis, but they are basically all related to the inconvenience
of doing it and the reduction in protection resulting from it.
Special Cases:
As I commented earlier, there are some special cases when changing passwords
in some cases periodically - is a very good idea. Here are some selections:
- The password controls a cryptographic communications system: As
was briefly discussed earlier, cryptographic keys must be changed periodically
if things they encrypt can be intercepted by hostile forces and if time
constraints on attacks against keying material are appropriate. This is
not the place to go into full detail, but if you want to know more, look
into cryptographic key management protocols.
- You suspect someone broke in: If you think someone might be
accessing your system illegally, it certainly might be a good idea to change
passwords for all users. It would also be prudent to take additional steps
to assure that system corruption hasnt resulted in reentry paths
for the attacker, secure evidence for possible legal actions, and so on.
- A password is shared: While password sharing is generally to
be discouraged, there are times when it happens. In these cases, it is
important to change the shared passwords every time anyone is removed from
the shared access. Similarly, if enough people share an account, changing
passwords periodically may be a wise step in providing assurance that users
that no longer need to have access do not have such access. Since such
systems normally operate by giving the new password to people only when
they ask, those who are no longer using these systems end up without the
password after a time.
- The enemy has a known capability and you have a known limitation:
If you do an analysis and find that an enemy can break some protective
barrier through password guessing in a given amount of time, and if you
cannot increase this time by normal internal actions, you might decide
to change passwords frequently. (e.g., A firewall has a maximum of 6 characters
in a password and they are all forced to be upper case letters or digits
leading to only 356 possible passwords and 1,000 guesses per
second are possible and no other protection can be put in place leading
to only 20 days to try all passwords. You might decide to change passwords
every 8 hours so as to limit the length of access in a takeover and to
prevent exhaustive search from guaranteeing entry in a short time.)
- Passwords are stored and used online: In cases where passwords
to systems are stored online for automated remote access and the operating
environments are not well-protected, it may be prudent to change passwords
to critical accounts often so as to force users to type them manually or
to prevent break-ins to machines from granting access to accounts on other
machines. This is common in Internet access today. This is particularly
helpful if it is expected to take a substantial amount of time for attackers
to locate and exploit these passwords after entry.
- Some other reason to make the change one-time: It might be valuable
to change passwords of critical systems in conjunction with the movement
of backup information to other sites. For example, when disposing of a
machine that is not properly cleaned before disposal, or when backups are
moved to off-site locations after a substantial delay, this has the effect
of protecting against exploitation of stored passwords residing on released
media.
While I am sure that are many other circumstances where it is prudent
to change passwords periodically, it is not a "no-brainer". In
order to establish that such a circumstance really exists, it is necessary
to associate a credible and substantial risk (something resulting from a
cause, a mechanism, and their impact) and demonstrate that periodically
changing passwords substantially mitigates that risk.
Conclusions:
Dont believe everything you hear or read in an article, a checklist,
or even a standard. In this case, it looks like a lot of people have missed
the mark.
But I could be wrong and you could prove it to me. In the beginning,
this was a search for a reasonable basis for making audit recommendations
regarding password changing frequency and it still is. Right now,
unless there is a special circumstance, changing them even once in a while
seems to me like a poor idea.
About the Author:
Fred Cohen is a Principal Member of Technical Staff at Sandia National
Laboratories and the Managing Director of Fred Cohen & Associates. His
team combines business and technical expertise to help make information
technology work better.