cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Contributor I

Password expiration recommendation

Hello folks,

 

Wondered what would you recommend as an appropriate password expiration time? Targeted are the privileged account passwords which eventually would be managed by a tool that would reset them every other day, but at this point I wonder what is a good period - normal accounts' password expire at 45 days and i want to harden the privileged ones - what do you think is a suitable time?

12 Replies
Highlighted
Community Champion

Re: Password expiration recommendation

The best current advice on password expiration rules is in the recent update (12/1/2017) to NIST Special Publication 800-63B. "DIGITAL IDENTITY GUIDELINES: AUTHENTICATION & LIFECYCLE MANAGEMENT," which says in section 10.2.1, Memorized Secrets, "Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise. "

 

This advice is part of a major update to the set of NIST SPs on identification and authentication, 800-63-3, 800-63A, 800-63B, and 800-63C, all released December 2017. I recommend you download all four for review from https://csrc.nist.gov/publications/sp 

 

The pubs take an entirely new approach to password management, including doing away with periodic expiration and gross complexity rules The changes are monumental, given decades of password management advice that essentially ignored the realities of memory and cognitive capability by users.  A human factors approach to passwords is finally coming into view with the changes. 

 

For a lighthearted and informative talk on this topic see my short (25 minute) INFOSEC WORLD 2016 presentation, "Why Don't they Follow the Rules? Maybe It's the Boss's Fault!" on YouTube at https://youtu.be/VhkH3BfWcd8 based on my dissertation research on password usage.

 

 

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Community Champion

Re: Password expiration recommendation

@CraginS has the best advise, referring you to the NIST documents.  Read Appendix A (Page 67) of NIST 800-63B to understand why our current thinking is "wrong" and then read the rest of 800-63B to understand the better way.

 

The quick take-aways:

 

  1. No matter what you do, passwords alone do not offer a high-level of identity assurance.  In scenarios where assurance is important, use multiple-factor-authentication.
  2. Arbitrary lifetime and complexity rules fail due to human factor issues.
  3. With passwords, length is the only thing that really matters because that is how one defends against brute force and rainbow tables. I know someone will claim that "Pa$$w0rd" is better than "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa".  That pedantic person has a point, but is also missing the broader message. 

As an aside, if using Windows, it is better to use 15+ characters for your critical accounts (until you can implement MFA).  This is because the length triggers a change in how passwords are stored, defeating many of the classic attack vectors.

Highlighted
Community Champion

Re: Password expiration recommendation

 

Can't offer opinion on the optimal password expiration time, but since password is intrinsically vulnerable, have you explored multi-factor authentications, at least for selected critical accounts?

 

Just a thought

 

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Highlighted
Contributor I

Re: Password expiration recommendation

Hey, thank you all very much - agreed about all - will definitely check out the NIST text and the video of @CraginS - MFA is the ultimate goal indeed, however until then i'd like to increase length and decrease expiration periods at least.... do you think this is absolutely useless ?

Highlighted
Newcomer III

Re: Password expiration recommendation

Improvements are seldom useless, unless really badly thought out! If you do live in a  windows environment, then please take note of the remark above about >15-character passwords: unless you have disabled the facility, Windows makes LAN Manager hashes of passwords to maintain compatibility with legacy apps. LM hashes are easy to break, but don't work with passwords in excess of 15 characters, hence the advice. MFA has much to recommend it, particularly for privileged accounts.

If you wish to see a flipside of the NIST advice, take a look at something from the other side of the pond:

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

One UK academic institution had the neat idea of having reasonably lax complexity rules but setting password expiry time based on the quality of the password selected by the user.

As with much in our line of business, one size does not fit all 🙂

Highlighted
Community Champion

Re: Password expiration recommendation

 

my personal preference would be to increase password complexity, not to increase password renew frequency, for practical reasons. When you increase the renewal frequency, users tend to make short-cuts, like hiding written down passwords in very 'secure' places like under the keyboard. And if you don't have a self-admin tool for password reset, your helpdesk will be inundated  with calls. 

 

intrusion detection system that can track user activities are excellent measures, albeit 'post-intrusion', for detecting anomalies. 

 

best,

 


____________________________________
Chuxing Chen, Ph.D., CISSP, PMP
Highlighted
Community Champion

Re: Password expiration recommendation


@Deyan wrote:

.... do you think this is absolutely useless ?




 

Yes.

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Community Champion

Re: Password expiration recommendation


@Chuxing wrote:

 

... When you increase the renewal frequency, users tend to make short-cuts, like hiding written down passwords in very 'secure' places like under the keyboard. ...

 


Password complexity rules are equal to renewal frequency in causing users to record passwords. Complex passwords are difficult to remember. I addressed both of these aspects specifically in my dissertation.

 

You can view my 55 minute defense with that discussion at

 

Dissertation on ProQest Open Access

 
 
Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
href="Not Passing a Cert Exam is Not the Same as Failing" target="new";;https://cragins.blogspot.com/2018/08/pass-rates-for-professional-exams.html
Highlighted
Community Champion

Re: Password expiration recommendation


@Chuxing wrote:

my personal preference would be to increase password complexity 

As evidenced by the links in this topic, Experts pretty much agree that length is more important than complexity.  

 

Also, it is much better for privileged Windows accounts to have 15+ characters.  Even if you simply type your traditional 8-character password twice, you mitigate the lanmanager weaknesses.