• More than Half of Security Pros
  Rarely Change their
  Social Network Passwords

I've always been unhappy with the advice given there, that we should change our passwords regularly. To me, you should choose hard passwords, and that makes them difficult to remember. As a result, changing them regularly would be counter-indicated.

So I was interested to read this "toot-storm" on Mastodon by https://mastodon.hasameli.com/@munin ...

• Alrighty, time to lay down the lore of the evolution of password management best practices, and why it is that [ the above ] is a bad article.

• First, the current best practices say that your passwords should be:
  • 1. Unique
  • 2. Long
  • 3. Complex

  in THAT order. Unless there is a specific reason to believe that the service has been breached, there is no reason to change them.

• Password rotation was deprecated last year in NIST Special Publication 800-63-3: Digital Authentication Guidelines - there is no longer a requirement to expire or rotate credentials on a regular basis.

• Now for the lore: why was password rotation a thing?

• This hearkens back to the 1990s and earlier, when credentialing worked a bit differently.

• You see, the biggest concern at that time was the ability of an attacker to bruteforce a login - together with the [usually fairly short - 8 character maximum on many systems!] length of most standard credentials meant that there was a real possibility they could be forced over time.

• So under that regime, it made sense to recommend rotating credentials - at least as often as you would expect them to be cracked by an attacker.

• However, since that time, we have learned how to do other things, like "account lockouts" after some number of incorrect logins, and have created the concept of the password manager, and have also learned how to export system logs to SIEMs to look for that kind of bruteforce attack. Also, key-based logins are available. Two factor authentication.

• All of these things mitigate, in different ways, the old bruteforce problem.

• So NIST, correctly, has revisited the old recommendations, and realized that the bigger threat today comes with credential reuse; and that reuse is exacerbated when people have to keep changing their passwords.
  • People will tend to use shorter, easier-remembered, and non-unique creds under those circumstances.

  • So the risk involved with that is greater than that of a longer-duration password lifespan.

• In addition, the modern hashing algorithms are a lot more expensive to run than the old ones - which, combined with the recommendation for longer passwords, means that bruteforcing is already a much less practical attack, even before considering the other mitigations.

• So there you have it: why password rotation is no longer recommended as a best practice, and an overview of how that came to be.

• Reuse is much more of a threat than misuse in most practical cases - when you incentivise people to reuse passwords you make it such that a compromise in one place means a compromise in many.

• @munin replied:
  • That is absolutely correct, and it's what drives me up the wall about so many of these people who, e.g., disable paste into password fields [thus defeating password managers] - they're encouraging the worse risk to 'defeat' a trivial, unlikely one.

• Of course, it will be five years or more before most policies various government and corporate entities are required to follow will be updated to suit that.

• To which @munin replied:
  • And that's why I'm posting this kind of thing regularly - so that people will have that information and can advocate for the change in their own orgs.

So there you are - a succinct debunking of the "change your passwords regularly" mantra.

Quotation from Tim Berners-Lee