Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT Technology

NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval (csoonline.com) 149

An anonymous reader writes: A recently released draft of the National Institute of Standards and Technology's digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things: "Remove periodic password change requirements." There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach.
This discussion has been archived. No new comments can be posted.

NIST's Draft To Remove Periodic Password Change Requirements Gets Vendors' Approval

Comments Filter:
  • Good move (Score:3, Interesting)

    by phresno ( 677793 ) on Tuesday May 09, 2017 @11:03AM (#54384741)

    I welcome the return to sanity.

    • Re: (Score:3, Insightful)

      by Anonymous Coward
      Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.
      • Yep. They do this where I work, which leaves me with very little choice but to write the password down on a little yellow sticky note because I'm forced to keep changing it to things I'll never remember.

        Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.

        • even windows server won't let you do that with a simple AD configuration change

          • Re:Good move (Score:4, Informative)

            by EvilSS ( 557649 ) on Tuesday May 09, 2017 @11:51AM (#54385171)

            even windows server won't let you do that with a simple AD configuration change

            Just using "one" "two" "three" will usually be enough of a difference to get past most password uniqueness policies

          • Use a mmyyyy postfix or prefix and get around that rule.
          • by ls671 ( 1122017 )

            That's interesting, I wonder how could AD do this without keeping the password un-hashed, e.g. more or less equal to keeping the password in plain text?

          • by Creepy ( 93888 )

            When I had my most restrictive password change rules, which were at least 8 characters, must contain 1 symbol and one #, no 3 characters could be the same, I found that I could just rotate the password and it worked fine because the text requirement meant in the same place. So at first I could have 1cadaver# and the next month cadaver#1 and the next month adaver#1c, etc. I used a far more complex password with no words though - words make for an easier example.

        • Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.

          Many systems do not allow you the repeat sequences.

          • Or you could do what most people do and keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.

            Many systems do not allow you the repeat sequences.

            I imagine he/she meant a rotating sequence of numbers to make it unique and non-repeating. However, many systems, while allowing long(er) passwords, limit the significant characters so I recommend putting the non-unique part first rather than last.

        • > d keep the same password and affix "1" "2" "3" to the end of it every time they tell you to change your password.

          That's retarded.

          Append the MonthYear that it expires on.
          i.e.

          Password0517

          • Yeah, great idea! Because I always remember that!

            • /oblg Can't tell if you are being sarcastic or not ... [imgflip.com]

              ... but why are you remembering a password in the first place?? Why aren't you using a password manager???

              • Because my employer will not allow me to. So instead, we all use easy to remember (and compromise) passwords.
                • Because my employer will not allow me to. So instead, we all use easy to remember (and compromise) passwords.

                  I thought only my employer was dumb enough to not allow password managers.

                  Wait, are you the guy down the hall from me who doesn't get any work done because he's always on /.? Hmmm.

                • That truly sucks you have an bone-headed IT department with retarded security policies.

                  Have you raised this issue with anyone? Your Boss, HR, IT, etc. ?

                  Also, why can't you use KeePass on a personal device with stronger passwords? Do you work for certain government jobs where you are not allowed access to mobile devices?

              • How do I authenticate myself to the password manager? How do I log in so I can access the password manager?

                With one exception that I know of, my password is the same everywhere in the company already.

          • That doesn't work for a 30-day password rotation policy. You'll find yourself having to use 0217 at the end of January, and it will just keep getting out of sync.

        • What I do is use the same base password and then vary special characters/capitalization. Then, I make a note about the capitalization/special characters used. For example, if my password was "Pass..word.", I'd note "C2L1" for "capital letter, two periods, lower case letter, one period." Nobody looking at my paper would know my password, but if I forgot the specific password, the paper would remind me what it currently is after the latest mandatory password change.

      • > very little choice but to write the password down on a little yellow sticky note

        Why aren't you using a password manager like KeePass or KeePassX and just remembering one passphrase to access all your other passwords???

        * http://keepass.info/ [keepass.info]
        * https://www.keepassx.org/ [keepassx.org]

        • While I do recommend password managers (I like Password Safe), what if your password is to log into the computer? Then, you can't access your password manager without the password you were going to look up.

          • Great question! I _used_ to run into that issue to. There are a couple of different solutions:

            * You have a backup of your Password Manager on a different device, right? Though this does mean you now need to keep both copies in-sync.

            * I used to keep my computer password the same as my main password but I got tired of having to change that too so I've simplified the login computer password since it never changes:

            First off, my work password had the Month and Year appended like this: Password0

            • I don't have a separate work-related device, and I don't want to have to sync my work computer with anything I own. This means I have to have one password memorized for work. What I do is base my passwords on my role-playing games or my fiction, and my password sticky note isn't going to mean anything to anyone else.

  • What if... (Score:5, Insightful)

    by freeze128 ( 544774 ) on Tuesday May 09, 2017 @11:12AM (#54384805)
    The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?
    • Re:What if... (Score:5, Interesting)

      by PCM2 ( 4486 ) on Tuesday May 09, 2017 @11:18AM (#54384855) Homepage

      Multi-factor?

    • by Anonymous Coward

      If you remove the periodic password change requirement, you must supply users with a tool that allows them to determine if there account is being used by others. Google's Sign-In and Security tools are a good example of this. I can view when and from where my account has been accessed and determine if I believe there has been a breach. If so, I can change my password.

      Removing the password change requirement without providing such an access monitoring tool is a disaster in the making.

      • Google's Sign-In and Security tools are a good example of this.

        Google is a wonderful example of good customer support. Yes. I just love getting an email from Google that tells me that someone has my password and tried to log in using my account from a new location and that they helpfully stopped the attempt.

        Except that in every case so far, that "someone" has been me, the "new location" was someplace I travel to on a semi-regular basis, and they apparently only block the first attempt because I've never noticed that I cannot access my email or calendar when they've r

    • by Anonymous Coward

      Good morning freeze128. You last logged in 1 hour ago.

      • by ls671 ( 1122017 )

        Great, but you need to take for granted that users will care to look at that information.

    • Well two things (Score:5, Interesting)

      by Sycraft-fu ( 314770 ) on Tuesday May 09, 2017 @12:26PM (#54385483)

      1) If that is a big concern, use multi-factor. When real authentication security is important, multi-factor is important. You can't go and say an account is super important and needs high levels of protection but then refuse to go multi-factor.

      2) How long are you ok with an adversary having access to your systems? Is 6 months ok? 12? Those are usually what you see password change requirements set at. Are you really ok with someone having unauthorized access to your systems for 12 months, but that's it, any longer is an issue? Of course not. But to change it often enough to keep an unknown compromise to what you'd consider acceptable users would need to change passwords multiple times a day.

      • A bigger annoyance than being forced to change your password is having the characters that you can use restricted. I can understand minimum complexity requirements, but I've seen some systems where the list of characters that I'm not allowed to use sounds like they're using my password to name a directory. I see no technical reason for restricting the list of possible characters, or the maximum length for that matter. When I find a system that tells me I can't use certain characters in a password that's

      • Where do you people work?

        2FA is fine for logging into gmail or twitter, but if you work at a small business that has an IBM mainframe, a Novell Server, or an Active Directory, then it just doesn't make financial sense to implement that. Guess what? Periodic password changes are CHEAP. 2FA is EXPENSIVE.
        • DoD smart card authentication is expensive but works well on the admin netowrks.

          But:
          Many Mission Systems don't support it.
          Certificates have a tendency to expire at the worst time.
          Network system administrators required multiple certificates, one for each account.
          Virtual infrastructure doesn't do the best job of supporting them.
          Latency can cause using certificate based authentication to remote systems to fail.

    • by Anonymous Coward

      Numerous studies have shown that periodic password changes compound this problem rather than mitigate it. Users are more likely to reuse passwords/password patterns across sites when they have more to remember. And new passwords are typically trivial changes (incrementing a digit) so if the an password is compromised a bad actor can often easily guess the new one from the old one.

    • The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?

      Except, many times the new password is easily guessable if you knew the old password. Say the old password was: HelloWorld1, there's a pretty good chance the new password is HelloWorld2. If you use the complete set of NIST recommendations, you'll be in really good shape. MFA, a dictionary of common passwords and sets of known passwords from compromised systems (hackers will test against those before they bother brute forcing), and you'll be in pretty good shape.

    • by dissy ( 172727 )

      The point of periodic password changes is to protect against an *UNKNOWN* breach, where the password has been compromised and the user doesn't know. Is there some other method of mitigation for this attack?

      As an attacker, I only need your password for about 60 seconds to get in and plant a persistent backdoor, after which I can gain access to everything that password granted but I no longer need your password.

      Do you enforce password changing for users every 59 seconds?
      If not, you are already not mitigating the effects of an unknown breach, so why have your users change passwords when it will not have the effect you are claiming no matter what they do?

      All you are doing is making users choose a very short predi

    • Changing passwords frequently will cause less security as the owners are much more likely to write down the passwords somewhere. I see some lab laptops (shared amongst a few workers) that have post-it notes on them with the bi-monthly password.

    • The point of periodic password changes is to protect against an *UNKNOWN* breach.

      This might make sense for things like e-mail or on-line banking passwords, but it's useless for an actual systems breach. If someone gets access to a system, it's far too easy to add a backdoor that will allow them in forever. Unfortunately the only way to recover from an unknown breach is to not have one in the first place.

  • Finally! (Score:3, Insightful)

    by Lord Kano ( 13027 ) on Tuesday May 09, 2017 @11:15AM (#54384825) Homepage Journal

    My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.

    My current position has a 6 month expiry. I use a much stronger password.

    This is common sense to me.

    LK

    • My previous position was in a company that had a 45 day password expiry policy. My password was only as complex as it had to be to fit the rule but wasn't very good.

      My current position has a 6 month expiry. I use a much stronger password.

      This is common sense to me.

      LK

      You use a much stronger password. The average user would use "123456" and never change it unless a system forced them to.

      Understanding the behavior of the average user is common sense, especially when considering adapting this "new-and-improved" suggestion.

      • "The average user would use "123456"

        Implying that the system administrator has no control over password content, which is utterly untrue. I would HOPE that any company removing or extending password resets would be doing that, if they aren't already. Where I work, passwords have to follow specific formatting and content rules and can't match old passwords (going back what I consider to be a ridiculous amount of time).
        • "The average user would use "123456" Implying that the system administrator has no control over password content, which is utterly untrue. I would HOPE that any company removing or extending password resets would be doing that, if they aren't already. Where I work, passwords have to follow specific formatting and content rules and can't match old passwords (going back what I consider to be a ridiculous amount of time).

          Sure, I'd prefer multi-factor authentication with dedicated security tokens as a fix to all of this, but short of that, employing users smart enough to remember a decent passphrase, and not write the damn thing down every time they are forced to change it would be a more valid solution than the shit NIST is now recommending, all because users are incapable of the burden of good security practice.

          And password security settings are only as good as the management team that supports it. Years ago, I worked for

  • by Anonymous Coward on Tuesday May 09, 2017 @11:16AM (#54384829)

    Randomly generated password of any given strength has the same probability of being guessed as any another equivalently strong random password. Only reason for strong password change is breach. Oh, and, my favourite pet peeve: common requirement that passwords must have some minimum number of characters from few subsets of all printable characters actually makes them much weaker.

  • by ErichTheRed ( 39327 ) on Tuesday May 09, 2017 @11:22AM (#54384889)

    If you have a really well-connected single sign on environment in place, standardizing on a single password that you have to change periodically makes sense. Where it breaks down is when you have a million passwords scattered across different services (internal or external.) If you have to change those over and over, you end up recycling passwords or writing them down, or storing them in a password vault tool (which is a bad idea given how many vulnerabilities have come to light on those.)

    In fact, with SSO systems like Google or Azure AD, it makes sense to protect that single key much more carefully than an individual password. For example, if someone guessed my corporate account's password or found a way to steal information from Microsoft without them knowing (or telling anyone,) my Azure AD account has a lot of access -- off the top of my head, from the naked Internet I can access my Exchange email, OneDrive, all the Azure resources I have control over, most of my HR vital data, access to Internet-facing applications, access to my MSDN and volume licensing stuff from Microsoft, and the list goes on. I'm OK with changing that password pretty frequently. If I had 50 of them to remember, not so much.

    The fact that the standards are being updated to reflect that it's much harder to steal passwords from properly secured systems these days and crack them offline is good though. Corporate security types tend to follow these rules verbatim regardless of whether they make operational sense.

  • I'll walk into my upper management and tell them I'm going to remove the 90 day requirement to change passwords. I'm sure that will go over well. I'd probably be asked about my sanity and they might question my skills as a network admin. This is great if you understand it. Upper management at many companies will not like this and have been "trained" to believe the rotating passwords is a must for a secure environment.
    • I would welcome management that was actually in tune with our password insanity. Some logins are 3 months, some never, and most have different sets of rules as to min or max length, characters, etc.

      I have different logins/passwords for:
      Windows
      Linux
      Travel
      Payroll
      Proxy
      Training (forgot)
      IM (forgot)
      Our internal Facebook clone (forgot)
      VPN
      Internal cloud storage (forgot)
      Building entry code
      Laptop encryption
      and a couple more (counted 14 total a while back, but now I forgot some).

      Guess how many of those are good and s

      • I would welcome management that was actually in tune with our password insanity. Some logins are 3 months, some never, and most have different sets of rules as to min or max length, characters, etc.

        I have different logins/passwords for: Windows Linux Travel Payroll Proxy Training (forgot) IM (forgot) Our internal Facebook clone (forgot) VPN Internal cloud storage (forgot) Building entry code Laptop encryption and a couple more (counted 14 total a while back, but now I forgot some).

        Guess how many of those are good and strong and not following a clear pattern?

        Sounds like what you should actually welcome is a password manager. I couldn't tell you any of my own passwords even under duress because I use a system where I don't have to remember any of my passwords (and could never do so, since they're obscenely complex and well beyond any recommended length). Two-factor protection is in front of that system, with a single complex passphrase to remember.

        Makes life a hell of a lot easier.

        • by Creepy ( 93888 )

          I use a mnemonic that depends on the web site name usually. That backfires on places that own multiple sites like gamespot owns gamefaqs and uses the same password, so I have to remember where I registered it. The good thing is I don't use the same password or a password manager, the bad is you could figure out my passwords through cryptoanalysis. That said, I rely on the relatively low sample size of the password itself for having any decoding ability, plus there are always some seemingly random characters

  • Honestly, if you aren't doing two factor at a MINIMUM, then you are wasting massive amounts of time and money in security theater.

    By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.

    • by muffen ( 321442 )

      By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.

      So, you enable two-factor where you get an SMS, or add your mobile number to facebook / google, then you drop your mobile phone, which doesnt have a pin for the simcard. Someone finds the phone, takes the sim out, figures out the number, does a password reset in facebook / google using only the mobile number, and now basically owns you because they have access to your gma

      • First, cellphone is the worst two factor, not the advisable one.

        Second you do NOT use the same password - two factor or otherwise for Facebook, Google, and work. If it is a work two factor, then there IS a password in the sim, because people aren't as stupid as you think they are.

        Third, the time limit is pretty steep as you need to use most passwords daily. It is most likely attached to your keychain, not in your phone. In any case, It is extremely UNLIKELY that you won't notice it is gone within 12 ho

        • Third, the time limit is pretty steep as you need to use most passwords daily.

          Where the hell did you get that incorrect piece of information?

          The average user has 22 passwords. You don't use all of these every day. I have passwords I use ever day, passwords I use twice week, passwords I use once a week, passwords I use once a month, and a whole pile of passwords I use when needed which may or may not be twice a week or once in a year.

    • By combining a physical token, even a cellphone, you get far more security then depending on something that is most likely written down.

      When done poorly, the user needs to pay a dime to his cellular carrier every time he logs in. Low-end cellular plans in NIST's home country charge for both sending and receiving text messages.

      Google Authenticator and other TOTP apps can be used without charge provided the service supports TOTP and the user carries a device that can run a TOTP app. But I know several people who still carry flip phones that have no TOTP app. And last time I checked, Twitter's second factor supported only SMS, not TOTP.

  • I'm ok with this

  • "... this guideline was suggested because passwords should be changed when a user wants to change it...

    Here let me tell you how often a user wants to change their password.

    Never.

    Oh wait, that's not quite right.

    Fucking Never.

    Perhaps NIST should learn to factor the security impact when they ASS-U-ME what users want to do.

    • When a user sees that someone wrote a nasty email to his boss on his behalf, he will *WANT* to change his password!
      • When a user sees that someone wrote a nasty email to his boss on his behalf, he will *WANT* to change his password!

        Give me a break. People that have had their fucking identity stolen don't even want to change their password, because "tinkerbell" has been the same password [special snowflake] has had since grade school.

        We read about how bad passwords are often the root cause of many security issues today, and yet the "top 10" list of bad passwords hasn't really changed in decades.

        This tends to highlight just how much the average user doesn't give a shit about practicing good security.

  • Sanity (Score:5, Insightful)

    by LunaticTippy ( 872397 ) on Tuesday May 09, 2017 @11:58AM (#54385225)
    Thank goodness. Frequent changes entrench bad habits and culture. People are constantly getting locked out, forgetting password. Your culture becomes one of frequent password resets with idiotic questions to verify identity. These questions are usually trivially guessable/facebookable/googleable especially since people forget these all the time too. Many helpdesks will reset passwords via phone without verifying identity since they do it constantly with frustrated resentful users. Make passwords durable. Changing it without knowing the old one should be a big difficult deal.
    • Your culture becomes one of frequent password resets with idiotic questions to verify identity.

      One of the airline sites I use has a policy that if you've not logged in for a certain length of time, or you're using a computer it hasn't seen before, you have to answer idiotic security questions to get on. Unfortunately, it does very poorly at remembering computers so every time I'm logging in at home to check in for a flight, e.g., I have to go through the questions. The questions are also multiple choice and few of them have the correct answer as one of the possible answers.

      Heh, I thought, I'll just

  • At one place I worked we had a deep discussion on password change periods. We all sort of agreed on once every six months. But then we did a password audit and the results were horrifying.
    • I found a personal account for a user that had been using the same password for 14 years. He'd call in whenever it expired and convince someone to reset the timer for him. I think it makes sense for most systems to not bother ever expiring passwords, in other cases though changing them every quarter might be warranted. It really should depend on the importance of the data exposed in the system and the likelihood of a bad actor attempting to harvest passwords.

      • I found a personal account for a user that had been using the same password for 14 years.

        For some systems, I have a password I first created 30 years ago.

    • But then we did a password audit and the results were horrifying.

      Horrifying in what way?

      Horrifying in that you discovered that the time and energy and lost work involved in enforcing useless password protocols came to many millions of dollars a year?

  • by FeelGood314 ( 2516288 ) on Tuesday May 09, 2017 @12:15PM (#54385381)
    Most users are expected to know 22 paswords [bbc.co.uk]

    Seriously, fuck you, to any site admin who contributes to this.

    Real people can remember 2 or three passwords and that is all they will bother to remember. They will have maybe 2 long term secure passwords for things they personally value (and guess what, work isn't one of those things) and they will reuse the same password or variants of it on every single other system they use. No user will memorize a new password if they are expected to change it regularly. They will create the easiest password possible that meets the systems requirements.
    This is universal and everyone knows it. The previous company I worked for was a well trusted security company with a policy of passwords that had to change every 90 days, use an uppercase letter, lower case letter, number, symbol and had to be at least 8 characters. I did a survey. Over 2 thirds of engineers and 6 out of 6 in HR admitted their password was a common 6 letter English word, first letter capitalized, a symbol and a number that they incremented.
  • by JoeyRox ( 2711699 ) on Tuesday May 09, 2017 @12:17PM (#54385397)
    Now I can keep golf486 and never have to use golf487.
  • NIST just realized how irrelevant they are and how they would bankrupt any company that didn't have the US federal governments funding.
  • That policy was just mean to the users and required us admins to reset passwords all the time. Personally I disable these requirements. When banks tell me we need password changes I tell them we are using a much more robust security system. When they ask what my security measures are I inform them that have attempted a phishing attack on my network and the call will be automatically disconnected.

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors

Working...