Wondered what would you recommend as an appropriate password expiration time? Targeted are the privileged account passwords which eventually would be managed by a tool that would reset them every other day, but at this point I wonder what is a good period - normal accounts' password expire at 45 days and i want to harden the privileged ones - what do you think is a suitable time?
The best current advice on password expiration rules is in the recent update (12/1/2017) to NIST Special Publication 800-63B. "DIGITAL IDENTITY GUIDELINES: AUTHENTICATION & LIFECYCLE MANAGEMENT," which says in section 10.2.1, Memorized Secrets, "Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. "
This advice is part of a major update to the set of NIST SPs on identification and authentication, 800-63-3, 800-63A, 800-63B, and 800-63C, all released December 2017. I recommend you download all four for review from https://csrc.nist.gov/publications/sp
The pubs take an entirely new approach to password management, including doing away with periodic expiration and gross complexity rules The changes are monumental, given decades of password management advice that essentially ignored the realities of memory and cognitive capability by users. A human factors approach to passwords is finally coming into view with the changes.
For a lighthearted and informative talk on this topic see my short (25 minute) INFOSEC WORLD 2016 presentation, "Why Don't they Follow the Rules? Maybe It's the Boss's Fault!" on YouTube at https://youtu.be/VhkH3BfWcd8 based on my dissertation research on password usage.
@CraginS has the best advise, referring you to the NIST documents. Read Appendix A (Page 67) of NIST 800-63B to understand why our current thinking is "wrong" and then read the rest of 800-63B to understand the better way.
The quick take-aways:
As an aside, if using Windows, it is better to use 15+ characters for your critical accounts (until you can implement MFA). This is because the length triggers a change in how passwords are stored, defeating many of the classic attack vectors.
Can't offer opinion on the optimal password expiration time, but since password is intrinsically vulnerable, have you explored multi-factor authentications, at least for selected critical accounts?
Just a thought
Hey, thank you all very much - agreed about all - will definitely check out the NIST text and the video of @CraginS - MFA is the ultimate goal indeed, however until then i'd like to increase length and decrease expiration periods at least.... do you think this is absolutely useless ?
Improvements are seldom useless, unless really badly thought out! If you do live in a windows environment, then please take note of the remark above about >15-character passwords: unless you have disabled the facility, Windows makes LAN Manager hashes of passwords to maintain compatibility with legacy apps. LM hashes are easy to break, but don't work with passwords in excess of 15 characters, hence the advice. MFA has much to recommend it, particularly for privileged accounts.
If you wish to see a flipside of the NIST advice, take a look at something from the other side of the pond:
One UK academic institution had the neat idea of having reasonably lax complexity rules but setting password expiry time based on the quality of the password selected by the user.
As with much in our line of business, one size does not fit all 🙂
my personal preference would be to increase password complexity, not to increase password renew frequency, for practical reasons. When you increase the renewal frequency, users tend to make short-cuts, like hiding written down passwords in very 'secure' places like under the keyboard. And if you don't have a self-admin tool for password reset, your helpdesk will be inundated with calls.
intrusion detection system that can track user activities are excellent measures, albeit 'post-intrusion', for detecting anomalies.
.... do you think this is absolutely useless ?
... When you increase the renewal frequency, users tend to make short-cuts, like hiding written down passwords in very 'secure' places like under the keyboard. ...
Password complexity rules are equal to renewal frequency in causing users to record passwords. Complex passwords are difficult to remember. I addressed both of these aspects specifically in my dissertation.
Dissertation on ProQest Open Access
my personal preference would be to increase password complexity
As evidenced by the links in this topic, Experts pretty much agree that length is more important than complexity.
Also, it is much better for privileged Windows accounts to have 15+ characters. Even if you simply type your traditional 8-character password twice, you mitigate the lanmanager weaknesses.