Forcing Users To Change Passwords Often, Doesn’t Work

October is supposed to be “National Cybersecurity Awareness Month”. So I decided to write a bunch of articles on Linux security. We’ve already covered disabling root access and how to change the SSH port. The next big issue is passwords.

People say that we’re moving to a “passwordless” future. They point to the emergence of hardware security keys, biometrics, and other forms of verification. Personally, I think this is dreaming. Passwords are never going away. They’re simply too convenient and universal. Think about what happens if you misplace your security key! Apps like Google Authenticator are already a nightmare to work around if you misplace your phone.

So given that the password is here to stay, it’s worth looking at password security policies. One common strategy that refuses to go away is the notion of “change your password frequently”.

Periodically Changing Your Password – A Terrible Idea

My wife works for a major corporation, and they’ve given her a company laptop with state of the art security, VPN, and encryption. All good stuff. But their password policy sucks. They require her to change the password every month. Every month!

This, along with some basic requirement to have a “special character” is the extent of their password protection system. Needless to say, this is bad.

Humans Are Bad at Randomness

There is a yawning gap between what people think is a random output of a stochastic process, and what is actually random. In people’s minds, a series of random coin tosses looks far more uniform than it is in reality. So when you ask users to choose a “random” password, it’s never really random.

Nevertheless, people try their best. They throw in some special characters, maybe try and do something clever like replace “S” with “$”. But for computer programs that specialize in guessing passwords, these are pretty pathetic attempts to create randomness. It’s child’s play to break them.

Moreover, truly random passwords are hard to remember. By definition, a random string of symbols has no “pattern” that can aid in memory recall, so asking users to do this is a big mental effort.

Frequent Password Changes Make Things Worse

Considering the above, it’s an absurd request to make people choose random passwords every month. It’s not going to happen.

What will happen, is that people’s passwords will become even less random! They’re going to incorporate things like the year and the month into their password to try and keep track of which password they’re using at any given time. This is an absolute gift to hackers who are generally thrilled when people use such patters to help them reconstruct their password!

Have ONE Strong Password with 2FA if Necessary

Far more solid is having one truly random password, and keeping it constant throughout the user’s life – unless there’s something like a breach. And even with a breach, you should be storing the passwords in a hashed (and salted) form, not in plain text!

Teaching users proper password sanitation measures like never giving your password over the phone, or entering them into untrusted websites is a far more robust practice than requiring them to change it periodically. Maybe you can build an app for your website that requires users to log into it from there, so they don’t risk going to a malicious website.

This puts a lot of the pressure of password sanitation on the enterprise. Which it should, considering that it’s your data and your systems that you want to protect.

2FA is a Useful Add-on. But Not Stand Alone

Using an authenticator app or key (not SMS) is a good way to insert an additional protection layer. Just keep in mind that you need a safe way for a user to log in if they happen to misplace or lose their 2nd authentication device. This often comes down to a password, or knowing some secret information in the first place, so we’re back to square one.

So 2FA can be enormously helpful, but it’s not a magic bullet!