Saturday, 12 March 2011

Password changing needs to change

Companies tell people they need to change their passwords but I think companies are the ones who need to change. 

In many enterprises users must change their passwords every 3 months or so.  When was the last time a website asked you to change your password?  What about your banking website, how often do they tell you to change your password?  It's funny isn't it, there seems to be a real double standard about changing passwords.

So why do companies tell people to change their passwords?  Well the thinking is that if you change your password then if it has been exposed at some stage you have minimised the opportunity to brute force it, and if cracked then you minimise the opportunity to use it.  You can't really argue with the logic, those are sensible reasons to change you password.

What you can argue with is why is the burden on users to mitigate the risks of their password being exposed?  The answer is clearly that we don't have any other good mitigations to those risks other than users changing passwords.  Hold on ... we just established that websites don't make users change their passwords, so websites are either mitigating the risk or accepting it.  So who is right, the companies or the websites?

Well as much as I would like to argue the merits of the security of either approach, or have a detailed discussion of risk as a function of the assets the passwords are protecting, I think I would be missing the point.  Websites don't ask users to change passwords because it's a usability issue, it would put too much burden on the user and that might drive the user to a competitors website.  Companies have a captive audience, and they aren't trying to make users happy, they are trying to secure business assets.

For some people this might be a perfectly reasonable justification, and clearly it is not without merit, but all decisions have consequences.  One of the consequences, and this is pretty common knowledge, when users have to change passwords they often choose related passwords, marginally different from their old one, so it is easy for them to remember.  The irony of this it circumvents the mitigation of changing passwords, as changing the password doesn't require the attacker to start from scratch again.

So what's the solution?  Well clearly there isn't a well known one otherwise more companies would be using it.  I think there is a lot that companies can learn from the web experience though:
  • Get users to use a local password manager, since their password never leaves their machine the risk of exposure is substantially minimised and the enterprise can still enforce a rule of changing passwords.  Moreover the quality to passwords used can be increased exponentially.  I'm not up to speed on password managers for the OS, but if they don't exist then someone out their should create the market for them.
  • Use mechanisms to identify the fraudulent use of passwords.  I'm not sure how mature this market is for systems within an intranet, but web sites have mechanisms, so there is at least some framework for new solutions.
  • Use Single Sign-On.  I'd be the first to admit that this can create more security issues if not implemented correctly, but done well it definitely helps minimise risk and is the ultimate in convenience for users.
 With most companies intranets resembling a mini-Internet of web applications it makes sense for companies to start incorporating some of the hard fought lessons web sites have learnt when it comes to the balance between usability and security.

1 comment:

  1. And, the more often you force people to change passwords for various intranet applications (that all expire passwords at different times) the more likely it is that they will resort to writing passwords on post-it notes and sticking them to their monitor in order to keep track of them..

    Or - they use the same password for all their intranet apps and it turns out that one of the old legacy ones, that perhaps doesn't have very sensitive data in it 'anyway', transmits or stores the password in plaintext