Does password expiry provide any benefit at all (when using randomly generated passwords)?How does changing your password every 90 days increase security?What are the weaknesses of my authentication scheme?SSH Public Key Authentication vs Username/password for API AccessSingle randomly generated passphrase for both identity and authenticationPrevent password reusing across different sitesPassword policies for randomly generating passwordsWhy are randomly generated passwords often hexadecimal?Any reason to slow hash passwords generated randomly by our site?Are encrypted files safe in Windows 10 when using PINs?Passphrase vs. password entropyDoes PCI-DSS password guidance apply to service accounts?
Giving a character trauma but not "diagnosing" her?
Why are seats at the rear of a plane sometimes unavailable even though many other seats are available in the plane?
How much income am I getting by renting my house?
Legal aspects of the HackRF one / SDR in Switzerland?
Employer says he needs to delay payment by 3 months due to bureaucracy
String Operation to Split on Punctuation
What is the German word for: "It only works when I try to show you how it does not work"?
Is it possible to do a low carb diet for a month in Sicily?
Why does English employ double possessive pronouns such as theirs and ours?
Is Having my Players Control Two Parties a Good Idea?
33 Months on Death Row
Can a character dodge an attack that beats their Armor Class?
How can my hammerspace safely "decompress"?
Is it true that if we start a sentence with 'the', this 'the' can be omitted?
How honest to be with US immigration about uncertainty about travel plans?
How many demonstrative pronouns are there really?
Is it possible to cross Arctic Ocean on ski/kayak undetectable now?
How to handle shared mortgage payment if one person can't pay their share?
Suspicious crontab entry running 'xribfa4' every 15 minutes
Variable fixing based on a good feasible solution
Is consistent disregard for students' time "normal" in undergraduate research?
Java creating augmented array of size 400,000,000
Is it plausible that an interrupted Windows update can cause the motherboard to fail?
What is the word for things that work even when they aren't working (e.g. escalators)?
Does password expiry provide any benefit at all (when using randomly generated passwords)?
How does changing your password every 90 days increase security?What are the weaknesses of my authentication scheme?SSH Public Key Authentication vs Username/password for API AccessSingle randomly generated passphrase for both identity and authenticationPrevent password reusing across different sitesPassword policies for randomly generating passwordsWhy are randomly generated passwords often hexadecimal?Any reason to slow hash passwords generated randomly by our site?Are encrypted files safe in Windows 10 when using PINs?Passphrase vs. password entropyDoes PCI-DSS password guidance apply to service accounts?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals:
- They use a secure password/passphrase generator and manager for all their accounts.
- There are no sticky notes with passwords.
- There are no incremental password changes eg. admin2018, admin2019 since the passwords/passphrases are randomly generated.
Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
passwords password-management password-policy
add a comment
|
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals:
- They use a secure password/passphrase generator and manager for all their accounts.
- There are no sticky notes with passwords.
- There are no incremental password changes eg. admin2018, admin2019 since the passwords/passphrases are randomly generated.
Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
passwords password-management password-policy
6
I guess this all started as a way to avoid certain situations like "former employee might still have access to some stuff" or "somebody might still have a password I shared with them for getting support", etc. The right way to handle those situations is to have separate accounts and never share the passwords. Changing passwords every 90 days is useless: what could be done in 90 days that couldn't be done in just one week? So IMO it's just a useless pain.
– reed
Apr 29 at 10:38
1
I feel like your question has some specific elements that aren't answered here, but do review this existing question which provides more context on foundational password expiration issues: security.stackexchange.com/questions/4704/…
– PwdRsch
Apr 29 at 21:40
1
Personally I see advantage in changing passwords mostly around cleaning up after passwords have been shared or stored. Both should not be done but it can help to make it harder by resetting them. It might even help against accidentally disclosed or hacked passwords (if the attacker did not establish persistence that is). Having said that you might want to reduce the impact by having a long-as-possible change period. Something like 3-12 month
– eckes
Apr 30 at 1:06
1
How are the new passwords being distributed? That is a potential hole.
– Davidmh
Apr 30 at 11:16
add a comment
|
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals:
- They use a secure password/passphrase generator and manager for all their accounts.
- There are no sticky notes with passwords.
- There are no incremental password changes eg. admin2018, admin2019 since the passwords/passphrases are randomly generated.
Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
passwords password-management password-policy
I have been seeing a shift in password policy, this has been going on for a while (Article from 2017) but I have only just picked up on this. In my organization we expire the user passwords every 90 days. When they set up their baseline, this was standard practice. But:
...In this day and age, changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization...
SANS.org.
Let's assume all of my users are professionals:
- They use a secure password/passphrase generator and manager for all their accounts.
- There are no sticky notes with passwords.
- There are no incremental password changes eg. admin2018, admin2019 since the passwords/passphrases are randomly generated.
Is there no benefit at all to replacing their current password/passphrase with a new randomly generated one every 90 days?
passwords password-management password-policy
passwords password-management password-policy
edited May 7 at 7:19
BenoitBalliu1
asked Apr 29 at 6:37
BenoitBalliu1BenoitBalliu1
1432 silver badges9 bronze badges
1432 silver badges9 bronze badges
6
I guess this all started as a way to avoid certain situations like "former employee might still have access to some stuff" or "somebody might still have a password I shared with them for getting support", etc. The right way to handle those situations is to have separate accounts and never share the passwords. Changing passwords every 90 days is useless: what could be done in 90 days that couldn't be done in just one week? So IMO it's just a useless pain.
– reed
Apr 29 at 10:38
1
I feel like your question has some specific elements that aren't answered here, but do review this existing question which provides more context on foundational password expiration issues: security.stackexchange.com/questions/4704/…
– PwdRsch
Apr 29 at 21:40
1
Personally I see advantage in changing passwords mostly around cleaning up after passwords have been shared or stored. Both should not be done but it can help to make it harder by resetting them. It might even help against accidentally disclosed or hacked passwords (if the attacker did not establish persistence that is). Having said that you might want to reduce the impact by having a long-as-possible change period. Something like 3-12 month
– eckes
Apr 30 at 1:06
1
How are the new passwords being distributed? That is a potential hole.
– Davidmh
Apr 30 at 11:16
add a comment
|
6
I guess this all started as a way to avoid certain situations like "former employee might still have access to some stuff" or "somebody might still have a password I shared with them for getting support", etc. The right way to handle those situations is to have separate accounts and never share the passwords. Changing passwords every 90 days is useless: what could be done in 90 days that couldn't be done in just one week? So IMO it's just a useless pain.
– reed
Apr 29 at 10:38
1
I feel like your question has some specific elements that aren't answered here, but do review this existing question which provides more context on foundational password expiration issues: security.stackexchange.com/questions/4704/…
– PwdRsch
Apr 29 at 21:40
1
Personally I see advantage in changing passwords mostly around cleaning up after passwords have been shared or stored. Both should not be done but it can help to make it harder by resetting them. It might even help against accidentally disclosed or hacked passwords (if the attacker did not establish persistence that is). Having said that you might want to reduce the impact by having a long-as-possible change period. Something like 3-12 month
– eckes
Apr 30 at 1:06
1
How are the new passwords being distributed? That is a potential hole.
– Davidmh
Apr 30 at 11:16
6
6
I guess this all started as a way to avoid certain situations like "former employee might still have access to some stuff" or "somebody might still have a password I shared with them for getting support", etc. The right way to handle those situations is to have separate accounts and never share the passwords. Changing passwords every 90 days is useless: what could be done in 90 days that couldn't be done in just one week? So IMO it's just a useless pain.
– reed
Apr 29 at 10:38
I guess this all started as a way to avoid certain situations like "former employee might still have access to some stuff" or "somebody might still have a password I shared with them for getting support", etc. The right way to handle those situations is to have separate accounts and never share the passwords. Changing passwords every 90 days is useless: what could be done in 90 days that couldn't be done in just one week? So IMO it's just a useless pain.
– reed
Apr 29 at 10:38
1
1
I feel like your question has some specific elements that aren't answered here, but do review this existing question which provides more context on foundational password expiration issues: security.stackexchange.com/questions/4704/…
– PwdRsch
Apr 29 at 21:40
I feel like your question has some specific elements that aren't answered here, but do review this existing question which provides more context on foundational password expiration issues: security.stackexchange.com/questions/4704/…
– PwdRsch
Apr 29 at 21:40
1
1
Personally I see advantage in changing passwords mostly around cleaning up after passwords have been shared or stored. Both should not be done but it can help to make it harder by resetting them. It might even help against accidentally disclosed or hacked passwords (if the attacker did not establish persistence that is). Having said that you might want to reduce the impact by having a long-as-possible change period. Something like 3-12 month
– eckes
Apr 30 at 1:06
Personally I see advantage in changing passwords mostly around cleaning up after passwords have been shared or stored. Both should not be done but it can help to make it harder by resetting them. It might even help against accidentally disclosed or hacked passwords (if the attacker did not establish persistence that is). Having said that you might want to reduce the impact by having a long-as-possible change period. Something like 3-12 month
– eckes
Apr 30 at 1:06
1
1
How are the new passwords being distributed? That is a potential hole.
– Davidmh
Apr 30 at 11:16
How are the new passwords being distributed? That is a potential hole.
– Davidmh
Apr 30 at 11:16
add a comment
|
2 Answers
2
active
oldest
votes
Yes, there is still a benefit to changing passwords every 90 days. Forcing regular changes provides some protection against the unauthorized use of passwords or limits the duration of unauthorized use. There are better alternatives for achieving these same goals (e.g. detecting abnormal use, risk-based authentication, etc.), but you didn't ask to compare password expiration to these alternatives.
Using strong, randomly generated passwords does reduce the risk of password abuse by making it unlikely the associated accounts will be breached due to password guessing, credential stuffing, or password cracking attacks. However, there still remain other avenues for an attacker to obtain user passwords, including malware, authentication server compromise, password manager flaws, or the user purposefully sharing their password with others. The strength and uniqueness of the password doesn't protect against these attacks. A. Hersean says to focus on fixing these leaks, which is good advice, but it is easier said than done.
If an attacker does compromise a user password they will have limited time to use that password if an expiration policy is in place. During that window of opportunity they may be able to complete any malicious actions they intend, or they might be able to escalate their attack and create an ongoing backdoor for access that does not rely on the original user's password. These situations don't really benefit from password expiration. But there are other situations where an attacker isn't able to escalate their attack and needs continued use of the password to maintain access. These are the situations where password expiration helps.
What is hard to quantify is how rare these situations are and in how many of those situations would password expiration either prevent or reduce the duration of attacks. So it becomes a rough cost-benefit analysis where you'd need to understand the costs of maintaining a password expiration policy. If you can completely automate regular password updates (some password managers might make this possible) and it is transparent to users then it seems like it provides value, even if the benefits are rare. If you can't automate password changes then it might not provide enough benefit to justify the time costs to users. In this case I would focus on alternatives to password expiration that can help detect and prevent password compromise.
Additionally, if you can completely automate regular password changes you should consider enforcing changes that take place more frequently than once every 90 days. This should increase the benefits of expiration by further reducing the risk of password compromises.
7
"Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre.
– l0b0
Apr 30 at 1:16
2
@l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain.
– PwdRsch
Apr 30 at 5:20
2
Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are extremely badly prepared for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester.
– l0b0
Apr 30 at 6:24
1
Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data.
– PwdRsch
Apr 30 at 14:50
Privileged access != root access. Having access to an HR web app is privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world.
– l0b0
Apr 30 at 20:13
add a comment
|
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy pushes the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy mandating to update the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 starting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
14
"Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!"
– billpg
Apr 29 at 10:50
3
The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords.
– Martin Bonner
Apr 29 at 14:07
3
Unfortunately, PCI DSS compliance is still to reset every 90 days.
– Baldrickk
Apr 29 at 15:33
4
@Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month].
– A. Hersean
Apr 29 at 15:52
2
(Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/…)
– armb
Apr 29 at 16:22
|
show 5 more comments
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209195%2fdoes-password-expiry-provide-any-benefit-at-all-when-using-randomly-generated-p%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Yes, there is still a benefit to changing passwords every 90 days. Forcing regular changes provides some protection against the unauthorized use of passwords or limits the duration of unauthorized use. There are better alternatives for achieving these same goals (e.g. detecting abnormal use, risk-based authentication, etc.), but you didn't ask to compare password expiration to these alternatives.
Using strong, randomly generated passwords does reduce the risk of password abuse by making it unlikely the associated accounts will be breached due to password guessing, credential stuffing, or password cracking attacks. However, there still remain other avenues for an attacker to obtain user passwords, including malware, authentication server compromise, password manager flaws, or the user purposefully sharing their password with others. The strength and uniqueness of the password doesn't protect against these attacks. A. Hersean says to focus on fixing these leaks, which is good advice, but it is easier said than done.
If an attacker does compromise a user password they will have limited time to use that password if an expiration policy is in place. During that window of opportunity they may be able to complete any malicious actions they intend, or they might be able to escalate their attack and create an ongoing backdoor for access that does not rely on the original user's password. These situations don't really benefit from password expiration. But there are other situations where an attacker isn't able to escalate their attack and needs continued use of the password to maintain access. These are the situations where password expiration helps.
What is hard to quantify is how rare these situations are and in how many of those situations would password expiration either prevent or reduce the duration of attacks. So it becomes a rough cost-benefit analysis where you'd need to understand the costs of maintaining a password expiration policy. If you can completely automate regular password updates (some password managers might make this possible) and it is transparent to users then it seems like it provides value, even if the benefits are rare. If you can't automate password changes then it might not provide enough benefit to justify the time costs to users. In this case I would focus on alternatives to password expiration that can help detect and prevent password compromise.
Additionally, if you can completely automate regular password changes you should consider enforcing changes that take place more frequently than once every 90 days. This should increase the benefits of expiration by further reducing the risk of password compromises.
7
"Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre.
– l0b0
Apr 30 at 1:16
2
@l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain.
– PwdRsch
Apr 30 at 5:20
2
Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are extremely badly prepared for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester.
– l0b0
Apr 30 at 6:24
1
Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data.
– PwdRsch
Apr 30 at 14:50
Privileged access != root access. Having access to an HR web app is privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world.
– l0b0
Apr 30 at 20:13
add a comment
|
Yes, there is still a benefit to changing passwords every 90 days. Forcing regular changes provides some protection against the unauthorized use of passwords or limits the duration of unauthorized use. There are better alternatives for achieving these same goals (e.g. detecting abnormal use, risk-based authentication, etc.), but you didn't ask to compare password expiration to these alternatives.
Using strong, randomly generated passwords does reduce the risk of password abuse by making it unlikely the associated accounts will be breached due to password guessing, credential stuffing, or password cracking attacks. However, there still remain other avenues for an attacker to obtain user passwords, including malware, authentication server compromise, password manager flaws, or the user purposefully sharing their password with others. The strength and uniqueness of the password doesn't protect against these attacks. A. Hersean says to focus on fixing these leaks, which is good advice, but it is easier said than done.
If an attacker does compromise a user password they will have limited time to use that password if an expiration policy is in place. During that window of opportunity they may be able to complete any malicious actions they intend, or they might be able to escalate their attack and create an ongoing backdoor for access that does not rely on the original user's password. These situations don't really benefit from password expiration. But there are other situations where an attacker isn't able to escalate their attack and needs continued use of the password to maintain access. These are the situations where password expiration helps.
What is hard to quantify is how rare these situations are and in how many of those situations would password expiration either prevent or reduce the duration of attacks. So it becomes a rough cost-benefit analysis where you'd need to understand the costs of maintaining a password expiration policy. If you can completely automate regular password updates (some password managers might make this possible) and it is transparent to users then it seems like it provides value, even if the benefits are rare. If you can't automate password changes then it might not provide enough benefit to justify the time costs to users. In this case I would focus on alternatives to password expiration that can help detect and prevent password compromise.
Additionally, if you can completely automate regular password changes you should consider enforcing changes that take place more frequently than once every 90 days. This should increase the benefits of expiration by further reducing the risk of password compromises.
7
"Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre.
– l0b0
Apr 30 at 1:16
2
@l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain.
– PwdRsch
Apr 30 at 5:20
2
Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are extremely badly prepared for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester.
– l0b0
Apr 30 at 6:24
1
Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data.
– PwdRsch
Apr 30 at 14:50
Privileged access != root access. Having access to an HR web app is privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world.
– l0b0
Apr 30 at 20:13
add a comment
|
Yes, there is still a benefit to changing passwords every 90 days. Forcing regular changes provides some protection against the unauthorized use of passwords or limits the duration of unauthorized use. There are better alternatives for achieving these same goals (e.g. detecting abnormal use, risk-based authentication, etc.), but you didn't ask to compare password expiration to these alternatives.
Using strong, randomly generated passwords does reduce the risk of password abuse by making it unlikely the associated accounts will be breached due to password guessing, credential stuffing, or password cracking attacks. However, there still remain other avenues for an attacker to obtain user passwords, including malware, authentication server compromise, password manager flaws, or the user purposefully sharing their password with others. The strength and uniqueness of the password doesn't protect against these attacks. A. Hersean says to focus on fixing these leaks, which is good advice, but it is easier said than done.
If an attacker does compromise a user password they will have limited time to use that password if an expiration policy is in place. During that window of opportunity they may be able to complete any malicious actions they intend, or they might be able to escalate their attack and create an ongoing backdoor for access that does not rely on the original user's password. These situations don't really benefit from password expiration. But there are other situations where an attacker isn't able to escalate their attack and needs continued use of the password to maintain access. These are the situations where password expiration helps.
What is hard to quantify is how rare these situations are and in how many of those situations would password expiration either prevent or reduce the duration of attacks. So it becomes a rough cost-benefit analysis where you'd need to understand the costs of maintaining a password expiration policy. If you can completely automate regular password updates (some password managers might make this possible) and it is transparent to users then it seems like it provides value, even if the benefits are rare. If you can't automate password changes then it might not provide enough benefit to justify the time costs to users. In this case I would focus on alternatives to password expiration that can help detect and prevent password compromise.
Additionally, if you can completely automate regular password changes you should consider enforcing changes that take place more frequently than once every 90 days. This should increase the benefits of expiration by further reducing the risk of password compromises.
Yes, there is still a benefit to changing passwords every 90 days. Forcing regular changes provides some protection against the unauthorized use of passwords or limits the duration of unauthorized use. There are better alternatives for achieving these same goals (e.g. detecting abnormal use, risk-based authentication, etc.), but you didn't ask to compare password expiration to these alternatives.
Using strong, randomly generated passwords does reduce the risk of password abuse by making it unlikely the associated accounts will be breached due to password guessing, credential stuffing, or password cracking attacks. However, there still remain other avenues for an attacker to obtain user passwords, including malware, authentication server compromise, password manager flaws, or the user purposefully sharing their password with others. The strength and uniqueness of the password doesn't protect against these attacks. A. Hersean says to focus on fixing these leaks, which is good advice, but it is easier said than done.
If an attacker does compromise a user password they will have limited time to use that password if an expiration policy is in place. During that window of opportunity they may be able to complete any malicious actions they intend, or they might be able to escalate their attack and create an ongoing backdoor for access that does not rely on the original user's password. These situations don't really benefit from password expiration. But there are other situations where an attacker isn't able to escalate their attack and needs continued use of the password to maintain access. These are the situations where password expiration helps.
What is hard to quantify is how rare these situations are and in how many of those situations would password expiration either prevent or reduce the duration of attacks. So it becomes a rough cost-benefit analysis where you'd need to understand the costs of maintaining a password expiration policy. If you can completely automate regular password updates (some password managers might make this possible) and it is transparent to users then it seems like it provides value, even if the benefits are rare. If you can't automate password changes then it might not provide enough benefit to justify the time costs to users. In this case I would focus on alternatives to password expiration that can help detect and prevent password compromise.
Additionally, if you can completely automate regular password changes you should consider enforcing changes that take place more frequently than once every 90 days. This should increase the benefits of expiration by further reducing the risk of password compromises.
answered Apr 29 at 21:38
PwdRschPwdRsch
7,9831 gold badge25 silver badges35 bronze badges
7,9831 gold badge25 silver badges35 bronze badges
7
"Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre.
– l0b0
Apr 30 at 1:16
2
@l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain.
– PwdRsch
Apr 30 at 5:20
2
Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are extremely badly prepared for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester.
– l0b0
Apr 30 at 6:24
1
Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data.
– PwdRsch
Apr 30 at 14:50
Privileged access != root access. Having access to an HR web app is privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world.
– l0b0
Apr 30 at 20:13
add a comment
|
7
"Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre.
– l0b0
Apr 30 at 1:16
2
@l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain.
– PwdRsch
Apr 30 at 5:20
2
Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are extremely badly prepared for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester.
– l0b0
Apr 30 at 6:24
1
Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data.
– PwdRsch
Apr 30 at 14:50
Privileged access != root access. Having access to an HR web app is privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world.
– l0b0
Apr 30 at 20:13
7
7
"Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre.
– l0b0
Apr 30 at 1:16
"Forcing regular changes provides some protection against the unauthorized use of passwords" In what sense? "limits the duration of unauthorized use" In no practical sense. 45 days (expectation value of validity of a leaked password) is more than ample to do whatever damage the attacker is interested in doing. "you didn't ask to compare password expiration to these alternatives" Security never operates in a vacuum - explicitly ignoring any other approach is not useful. IMO this is counter-productive security theatre.
– l0b0
Apr 30 at 1:16
2
2
@l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain.
– PwdRsch
Apr 30 at 5:20
@l0b0 You're telling me you can't think of any situations where an attacker is unable or unwilling to escalate their access beyond the original account? Or where they'd like to retain access to an account beyond 90 days? Think of scenarios other than a simple compromised Windows account in an enterprise domain.
– PwdRsch
Apr 30 at 5:20
2
2
Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are extremely badly prepared for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester.
– l0b0
Apr 30 at 6:24
Please stop with the straw men. Outside of Hollywood I expect such a situation is extremely rare. Most organizations are extremely badly prepared for an insider attack, and retaining access should be easy once privileged access has been gained. You could for example create a new account or modify the password reset code to send you a helpful message. That's just off the top of my head, and I'm not a pen tester.
– l0b0
Apr 30 at 6:24
1
1
Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data.
– PwdRsch
Apr 30 at 14:50
Who said anything about privileged access? You still seem to have one specific scenario in your head about password compromises and are ignoring other scenarios in systems that don't work that same way. For example, a password to a HR web app. The attacker can't escalate privilege within the app. They want to maintain access so they can continue to extract employee data.
– PwdRsch
Apr 30 at 14:50
Privileged access != root access. Having access to an HR web app is privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world.
– l0b0
Apr 30 at 20:13
Privileged access != root access. Having access to an HR web app is privileged compared to the general public. Anyway, the final goal of an attacker isn't to gather as much data as possible - the data is always a means to an end. And I'm going to simply assume that in the vast majority of cases dumping the data at the time of the breach is enough to get further towards the actual goal. If you assume differently that's fine. I just don't think it jibes with attacks in the real world.
– l0b0
Apr 30 at 20:13
add a comment
|
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy pushes the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy mandating to update the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 starting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
14
"Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!"
– billpg
Apr 29 at 10:50
3
The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords.
– Martin Bonner
Apr 29 at 14:07
3
Unfortunately, PCI DSS compliance is still to reset every 90 days.
– Baldrickk
Apr 29 at 15:33
4
@Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month].
– A. Hersean
Apr 29 at 15:52
2
(Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/…)
– armb
Apr 29 at 16:22
|
show 5 more comments
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy pushes the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy mandating to update the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 starting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
14
"Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!"
– billpg
Apr 29 at 10:50
3
The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords.
– Martin Bonner
Apr 29 at 14:07
3
Unfortunately, PCI DSS compliance is still to reset every 90 days.
– Baldrickk
Apr 29 at 15:33
4
@Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month].
– A. Hersean
Apr 29 at 15:52
2
(Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/…)
– armb
Apr 29 at 16:22
|
show 5 more comments
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy pushes the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy mandating to update the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 starting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
90 days is more than enough to profit from stolen credentials (however strong they are). Moreover, most passwords will vary only by a digit or two when changed, so even a password older than 90 days will allow an attacker to guess the new one fairly easily.
If your passwords are strong (randomly generated by password managers) and one still manged to leak and find its way into the hands of an attacker, the solution is to fix the source of the leak, not to blindly update the passwords. Changing the passwords will not prevent new passwords to leak in the same way.
It would be wiser to prevent password guessing attempts and to try detecting abnormal authentications. Using proper 2FA could also better mitigate passwords leaks.
In the same time, this policy pushes the users to make passwords easier to remember, thus easier to guess by an attacker. All thing considered, the policy mandating to update the passwords regularly weakens the overall security provided by the password protection. That is why Microsoft is planning to remove this policy from of Windows 10 starting with the may 2019 update. The NIST also recommends against its usage for password that needs to be remembered.
edited Apr 29 at 13:15
answered Apr 29 at 8:50
A. HerseanA. Hersean
5,8583 gold badges13 silver badges27 bronze badges
5,8583 gold badges13 silver badges27 bronze badges
14
"Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!"
– billpg
Apr 29 at 10:50
3
The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords.
– Martin Bonner
Apr 29 at 14:07
3
Unfortunately, PCI DSS compliance is still to reset every 90 days.
– Baldrickk
Apr 29 at 15:33
4
@Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month].
– A. Hersean
Apr 29 at 15:52
2
(Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/…)
– armb
Apr 29 at 16:22
|
show 5 more comments
14
"Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!"
– billpg
Apr 29 at 10:50
3
The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords.
– Martin Bonner
Apr 29 at 14:07
3
Unfortunately, PCI DSS compliance is still to reset every 90 days.
– Baldrickk
Apr 29 at 15:33
4
@Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month].
– A. Hersean
Apr 29 at 15:52
2
(Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/…)
– armb
Apr 29 at 16:22
14
14
"Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!"
– billpg
Apr 29 at 10:50
"Their password is passw47rd. Doesn't work. I'll try passw48rd. It works!"
– billpg
Apr 29 at 10:50
3
3
The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords.
– Martin Bonner
Apr 29 at 14:07
The UK National Cyber Security Centre (which has the remit of protecting the UK's cyberspace, both government and commercial) also recommends against expiring passwords.
– Martin Bonner
Apr 29 at 14:07
3
3
Unfortunately, PCI DSS compliance is still to reset every 90 days.
– Baldrickk
Apr 29 at 15:33
Unfortunately, PCI DSS compliance is still to reset every 90 days.
– Baldrickk
Apr 29 at 15:33
4
4
@Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month].
– A. Hersean
Apr 29 at 15:52
@Baldrickk You can still comply with those policies by appending your strong password with a counter. However, you should not think of this as increasing the security of your password, but as a workaround to poor policies. For example, instead of mandating passwords of 16+ chars, you could mandate passwords of 18+ chars with the last two following the pattern [last digit of year][first letter of month].
– A. Hersean
Apr 29 at 15:52
2
2
(Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/…)
– armb
Apr 29 at 16:22
(Reference/cite for @MartinBonner's comment: "Don't enforce regular password expiry" ncsc.gov.uk/collection/passwords?curPage=/collection/passwords/…)
– armb
Apr 29 at 16:22
|
show 5 more comments
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f209195%2fdoes-password-expiry-provide-any-benefit-at-all-when-using-randomly-generated-p%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
6
I guess this all started as a way to avoid certain situations like "former employee might still have access to some stuff" or "somebody might still have a password I shared with them for getting support", etc. The right way to handle those situations is to have separate accounts and never share the passwords. Changing passwords every 90 days is useless: what could be done in 90 days that couldn't be done in just one week? So IMO it's just a useless pain.
– reed
Apr 29 at 10:38
1
I feel like your question has some specific elements that aren't answered here, but do review this existing question which provides more context on foundational password expiration issues: security.stackexchange.com/questions/4704/…
– PwdRsch
Apr 29 at 21:40
1
Personally I see advantage in changing passwords mostly around cleaning up after passwords have been shared or stored. Both should not be done but it can help to make it harder by resetting them. It might even help against accidentally disclosed or hacked passwords (if the attacker did not establish persistence that is). Having said that you might want to reduce the impact by having a long-as-possible change period. Something like 3-12 month
– eckes
Apr 30 at 1:06
1
How are the new passwords being distributed? That is a potential hole.
– Davidmh
Apr 30 at 11:16