Introduction:

When I write an audit report, I generally want a basis against which to make judgements. I sometimes use well-established standards such as the GASSP or BS7799 and I sometimes like to call my conclusions "opinions based on experience and data in comparable industries" or some such thing, but most of the time, I prefer a more scientific basis.

For many years I have been seeking a scientific basis for the well-worn policy of changing passwords on a regular basis. Recently, I have come to believe that, except in some special cases, this is not a beneficial activity for information security and that it is devoid of a scientific basis.

Now I know that this goes against many of the standards we have seen published and that it may even be counter to much of the training many of us have received, but I hope to present a convincing viewpoint in this article. As always, I welcome counterpoint.

In a square dance, you expect to have the caller occasionally call out "change your partner", and as a dutiful dancer, you change partners. This typically happens 4 times in a dance – or some multiple of 4 times – with the end result of getting your partner back at the end of the dance. The objective is to have fun and meet new people – or something like that. So if the goal is to have variety, changing partners – or passwords – is probably a fine idea. But what if the goal is to improve the effectiveness of password-based protection. Is it beneficial to change passwords more often or not?

In order to answer this question, we have to look at a lot of other issues, so I will start with the usual reasons, presenting a reason and a counterpoint at a time:

• In the limit, if we change passwords on each use, someone watching sessions cannot reuse an old password. It’s very true, but if we change every other use, watching us type a password once grants access to the attacker who can then plant a Trojan Horse in our system for unlimited reentry. We may detect the failure on the next try, but more likely, we will simply go onto the next password figuring we made a typo. My point is that, just because there is a feature "in the limit", doesn’t mean that coming closer to the limit without reaching it is actually an advantage.
• Changing passwords periodically limits the amount of time that an attacker can access an account if they have guessed a password. True again, but again not very important. Gaining access one time is enough for most competent attackers to plant Trojan horses to allow for reentry. For the vast majority of real computer systems, a single entry is all that is needed and changing passwords periodically does nothing to protect against this. Allowing entry for only a few days is almost certainly enough for most attackers to gain most of what they want to accomplish.
• Changing passwords periodically makes password guessing harder. Sorry, but I have to part ways with this point. In fact, for reasonably hard to guess passwords, there is no substantial advantage in terms of the time required to make a successful guess provided by periodic changes. This is true until the number of passwords that can be guessed between changes becomes a significant portion of the total password space. As an example, if I use 8 symbol passwords generated randomly from a space of 100 possible choices per symbol, the number of passwords possible is 10¹⁶. On my PPro 200 personal computer, my simple password-guessing program can exhaust all 3-symbol passwords in about 3 minutes. This means that it would take about 5 hours for all 4-symbol passwords, 16 days for all 5-symbol passwords, more than 4 years for all 6-symbol passwords, 400 years for all 7-symbol passwords, and 40,000 years for all 8-symbol passwords. Even if we set 1000 computers working on the problem 24 hours a day, 7 days a week, it would still take 40 years to try all passwords. Even at this blistering pace, after a full year of guessing, the changes of entry would only be 2.5% higher than they were on the first guess. With this amount of resource applied to attacking a computer system, password guessing seems like a feeble way to go about it.
• An insider with special knowledge about a person might be able to guess enough passwords to break into their account if the password weren’t changes often. It turns out that all of the factual information that you could gather to help you break into a person’s computer account could be guessed in short order. Let’s say we can gather a list of 10,000 facts that could be combined in 100 different ways per fact to generate guesses at passwords. That comes to 1 million guesses – about the same number of guesses required to try all 3-symbol passwords in the example above. So unless they change passwords every 3 minutes, we will be able to try all of these guesses before the password changes.
• If people use poor passwords, changing them more often may have a greater impact on the guessing issue. Of course this is true, but it is not so much a matter of changing passwords more often as it is a matter of choosing hard-to-guess passwords in the first place. It turns out that the effect of password quality on the amount of time to guess is very sensitive. This then also means that easily guessed passwords tend to be very easy to guess. In many experiments, it has commonly been found that a password is either revealed very quickly by guessing or only revealed through search times probabilistically in line with the likelihood of exhausting the search space. In other words, almost all easily guessed passwords are guessed by automated password guessing programs in the first few minutes. On a typical system, more passwords are found over the first three minutes than over the next thousand hours. So poor passwords are found too soon to make periodic password changing effective, while other passwords are typically not found for time periods far in excess of the typical password changing times.
• Changing passwords is like changing cryptographic keys, and we must change cryptographic keys often according to cryptographic experts. While the latter part of that statement is correct (the need to change crypto-keys), the former part is not normally right. The reason we change cryptographic keys fairly often is that the workload to find the key given a substantial volume of cyphertext (the information encrypted by that key) goes down as we use the key for more information. It is assumed that the attacker is watching all transactions. In the case of passwords, if the attacker watches even one transaction, the key is instantly revealed because it is sent in plaintext. Thus the valid reason for cryptography is not valid for passwords.

So, at least based on these points, I conclude that the case for changing passwords periodically is a weak one – except in special cases that I will discuss later.

I am generally an easy-going sort of person and, if there were no negatives associated with periodic password changing, I would probably just let it ride. I might write reports that said "while there is no published basis for this activity, it is generally believed to be useful and is not known to be harmful" or some such thing. Unfortunately, I have been forced to change passwords more than once in my career – last week in fact – and so I have come to find that there are indeed negatives associated with the activity. They are not world-shaking, but here are some of them nonetheless:

• My memory is getting worse: When I was young, I could remember an astounding number of seemingly random things - like my Tops-10 group and user account numbers and BW0J’s account name. But now days every time I have to remember something new, it seems like I have to forget something else in order to make room. I also find it hard to forget my old passwords once I go to the trouble of remembering them. I seem to recall j9wx8&g$ from more than 20 years ago. The last thing I want in my old age is to recall 50 years of new passwords changed every month because of some regulation.
• Many people write the changes down until they remember them: If you have enough passwords to remember, chances are good that you have written some of them down somewhere at some time. Most people have to write down a new password in order to remember it. The more often we change them, the larger portion of the time we have them written down somewhere.
• They have to be redistributed: I know there is probably a regulation against it, but I use the same password on a lot of my computer systems. I know – if someone gets into one, they can get into the rest – but since they are physically isolated it takes more than just a password to get into them. Maybe more importantly, I can get into all of them without having to remember hundreds of random numbers or write them all down. Whenever I change one of my passwords, I have to change scores of them. In one case, I have a network of 50 computers that I manage. If you make me change all of those passwords once a month, I’m not likely to want to manage the network for very long. I know there are other ways, but you get my point.
• It takes time and overhead: It turns out that there is a real cost in time and overhead with creating such rules and enforcing them. Unless the benefit outweighs the cost, it’s not a very good investment.
• Denial of service and service calls increase: While your company probably has extra people working the help desk at all hours just waiting to take calls, you may be surprised to know that my company doesn’t. We prefer to minimize the time and effort wasted on such things by designing our operations so as to prevent such calls whenever possible. Every time you mandate a password change, you are asking for service calls. Many service organizations I talk to identify password resetting as a major item that consumes their time. Can there be any doubt that6 this increases with the frequency of password changes?
• Once I find a good one I want to keep it: If you ever managed to memorize S*7y&p[+1M, and got to the point where you could type it quickly and easily whenever you had to, it would probably be a pretty good password (although this particular one is now tainted by its widespread publication). It would probably take you quite a bit of effort to get to that point and it seems like a real pity to have to waste all that time and effort again without a good reason. When I have to keep putting in new passwords, I tend to make them easier to guess each time because it’s not worth the effort to remember a really good password if you just have to go and change it again a month or six later.
• Many people get a false sense of security: In a lot of cases, users come to believe that they are better protected because they change passwords more often. They figure that they are doing their part – and often – that this fulfills their responsibility to this issue. We in information protection have so little in the way of resources that it seems a terrible waste to do anything like this unless there is a good reason. Given the option, I would certainly select some other "one thing" to have every employee do on a regular basis. Perhaps backing up their systems should have a higher priority?

There are, no doubt, many other reasons for not changing passwords on a regular basis, but they are basically all related to the inconvenience of doing it and the reduction in protection resulting from it.

As I commented earlier, there are some special cases when changing passwords – in some cases periodically - is a very good idea. Here are some selections:

• The password controls a cryptographic communications system: As was briefly discussed earlier, cryptographic keys must be changed periodically if things they encrypt can be intercepted by hostile forces and if time constraints on attacks against keying material are appropriate. This is not the place to go into full detail, but if you want to know more, look into cryptographic key management protocols.
• You suspect someone broke in: If you think someone might be accessing your system illegally, it certainly might be a good idea to change passwords for all users. It would also be prudent to take additional steps to assure that system corruption hasn’t resulted in reentry paths for the attacker, secure evidence for possible legal actions, and so on.
• A password is shared: While password sharing is generally to be discouraged, there are times when it happens. In these cases, it is important to change the shared passwords every time anyone is removed from the shared access. Similarly, if enough people share an account, changing passwords periodically may be a wise step in providing assurance that users that no longer need to have access do not have such access. Since such systems normally operate by giving the new password to people only when they ask, those who are no longer using these systems end up without the password after a time.
• The enemy has a known capability and you have a known limitation: If you do an analysis and find that an enemy can break some protective barrier through password guessing in a given amount of time, and if you cannot increase this time by normal internal actions, you might decide to change passwords frequently. (e.g., A firewall has a maximum of 6 characters in a password and they are all forced to be upper case letters or digits leading to only 35⁶ possible passwords and 1,000 guesses per second are possible and no other protection can be put in place leading to only 20 days to try all passwords. You might decide to change passwords every 8 hours so as to limit the length of access in a takeover and to prevent exhaustive search from guaranteeing entry in a short time.)
• Passwords are stored and used online: In cases where passwords to systems are stored online for automated remote access and the operating environments are not well-protected, it may be prudent to change passwords to critical accounts often so as to force users to type them manually or to prevent break-ins to machines from granting access to accounts on other machines. This is common in Internet access today. This is particularly helpful if it is expected to take a substantial amount of time for attackers to locate and exploit these passwords after entry.
• Some other reason to make the change one-time: It might be valuable to change passwords of critical systems in conjunction with the movement of backup information to other sites. For example, when disposing of a machine that is not properly cleaned before disposal, or when backups are moved to off-site locations after a substantial delay, this has the effect of protecting against exploitation of stored passwords residing on released media.

While I am sure that are many other circumstances where it is prudent to change passwords periodically, it is not a "no-brainer". In order to establish that such a circumstance really exists, it is necessary to associate a credible and substantial risk (something resulting from a cause, a mechanism, and their impact) and demonstrate that periodically changing passwords substantially mitigates that risk.

Don’t believe everything you hear or read in an article, a checklist, or even a standard. In this case, it looks like a lot of people have missed the mark.

But I could be wrong – and you could prove it to me. In the beginning, this was a search for a reasonable basis for making audit recommendations regarding password changing frequency – and it still is. Right now, unless there is a special circumstance, changing them even once in a while seems to me like a poor idea.

About the Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and the Managing Director of Fred Cohen & Associates. His team combines business and technical expertise to help make information technology work better.