Time to rethink mandatory

password changes
Share This Page

Lorrie Cranor, Chief Technologist

Mar 2, 2016

TAGS: Authentication Human-computer interaction Passwords Research

Data

security is a process that evolves over time as new threats emerge and new
countermeasures are developed. The FTC’s longstanding advice to companies has been
to conduct risk assessments, taking into account factors such as the sensitivity of
information they collect and the availability of low-cost measures to mitigate risks. The FTC
has also advised companies to keep abreast of security research and advice affecting their
sector, as that advice may change. What was reasonable in 2006 may not be reasonable
in 2016. This blog post provides a case study of why keeping up with security advice is
important. It explores some age-old security advice that research suggests may not be
providing as much protection as people previously thought.

When people hear that I conduct research on making passwords more usable and secure,
everyone has a story to tell and questions to ask. People complain about having so many
passwords to remember and having to change them all so frequently. Often, they tell me
their passwords (please, don’t!) and ask me how strong they are. But my favorite question
about passwords is: “How often should people change their passwords?” My answer
usually surprises the audience: “Not as often as you might think.”

I go on to explain that there is a lot of evidence to suggest that users who are required to
change their passwords frequently select weaker passwords to begin with, and then
change them in predictable ways that attackers can guess easily. Unless there is reason to
believe a password has been compromised or shared, requiring regular password changes
may actually do more harm than good in some cases. (And even if a password has been
compromised, changing the password may be ineffective, especially if other steps aren’t
taken to correct security problems.)

Mandated password changes are a long-standing security practice designed to periodically

lock out unauthorized users who have learned users’ passwords. While some experts
began questioning this practice at least a decade ago, it was only in the past few years
that published research provided evidence that this practice may be less beneficial than
previously thought, and sometimes even counterproductive. Let’s take a look at two
excellent peer-reviewed papers that address this issue.

What actually happens when users are required to change their passwords?

In The Security of Modern Password Expiration: An Algorithmic Framework and Empirical

Analysis, researchers at the University of North Carolina at Chapel Hill present the results
of a 2009-2010 study of password histories from defunct accounts at their university.

The UNC researchers obtained the passwords to over 10,000 defunct accounts belonging
to former university students, faculty, and staff. Users were required to change the
password for these accounts every 3 months. For each account, the researchers were
given a sequence of 4 to 15 of the user’s previous passwords – their total data set
contained 51,141 passwords. The passwords themselves were scrambled using a
mathematical function called a “hash.” In most password systems, passwords are stored in
hashed form to protect them against attackers. When a user types in a password, the
system runs it through the same mathematical function to produce a hashed version of the
password they just typed. If it matches the hashed password that was previously stored for
the user, then the user is able to log in.

The UNC researchers used password cracking tools to attempt to crack as many hashed
passwords as they could in an “offline” attack. Offline attackers are not limited to a small
number of guesses before being locked out. Attackers first gain access to a system and
steal the hashed password file. They take that file to another computer and make as many
guesses as they can. Rather than guessing every possible password in alphabetical order,
cracking tools use sophisticated approaches to guess the highest probability passwords
first, then hash each guess and check to see whether it matches one of the hashed
passwords. The UNC researchers’ password cracking system ran for several months and
eventually cracked about 60% of the passwords. For 7,752 accounts, the researchers
were able to crack at least one password that was not the last password the user created
for that account. The researchers used the passwords for this set of accounts to conduct
the rest of their study.

The researchers then developed password cracking approaches that formulated guesses
based on the previous password selected by a user. They observed that users tended to
create passwords that followed predictable patterns, called “transformations,” such as
incrementing a number, changing a letter to similar-looking symbol (for example changing
an S to a $), adding or deleting a special character (for example, going from three
exclamation points at the end of a password to two), or switching the order of digits or
special characters (for example moving the numbers to the beginning instead of the end).
While not mentioned in this paper, I have heard from many users that they include the
month (and sometimes year) of the password change in their passwords as an easy way
to remember frequently changed passwords.

The researchers performed an experiment in which they used a subset of the passwords
to train their cracking algorithm to apply the most likely transformations and then use it to
crack the remaining passwords. The paper includes a lot of technical detail about what
they did, but the bottom line results are striking. The UNC researchers found that for 17%
of the accounts they studied, knowing a user’s previous password allowed them to guess
their next password in fewer than 5 guesses. An attacker who knows the previous
password and has access to the hashed password file (generally because they stole it)
and can carry out an offline attack can guess the current password for 41% of accounts
within 3 seconds per account (on a typical 2009 research computer). These results
suggest that after a mandated password change, attackers who have previously learned a
user’s password may be able to guess the user’s new password fairly easily.

The researchers also found that users who started with the weakest passwords were most
susceptible to having their subsequent passwords guessed by applying transformations. In
addition, they found that if they could crack a password using certain kinds of
transformations once, they had a high probability of being able to crack additional
passwords from the same account using a similar transformation. That is, once an attacker
discovers that a user is applying a transformation to change their password, that attacker
has a good chance of being able to crack the user’s password every time they change it.

Measuring the impact of password expiration policies

More recently, researchers at Carleton University wrote a paper in which they developed a
quantitative measure of the impact of password expiration policies.

The Carleton researchers assume that an attacker will systematically attempt to guess
every possible password until they guess the user’s password. Depending on the system
policies and the attacker’s situation, this may happen quickly or very slowly. Attackers who
know that users must create new passwords periodically will start the process over again if
they don’t guess a user’s password after exhausting all guesses. Today, attackers who
have access to the hashed password file can perform offline attacks and guess large
numbers of passwords. The Carleton researchers demonstrate mathematically that
frequent password changes only hamper such attackers a little bit, probably not enough to
offset the inconvenience to users. (On the other hand, without inconveniencing users,
system administrators can use slow hash functions, e.g. bcrypt, to make it significantly
harder for attackers to guess large numbers of passwords.)

The Carleton researchers also point out that an attacker who already knows a user’s
password is unlikely to be thwarted by a password change. As the UNC researchers
demonstrated, once an attacker knows a password, they are often able to guess the user’s
next password fairly easily. In addition, an attacker who has gained access to a user’s
account once may be able to install a key logger or other malware that will allow them to
continue to access the system, even if the user changes their password.

There is also evidence from interview and survey studies to suggest that users who know
they will have to change their password do not choose strong passwords to begin with and
are more likely to write their passwords down. In a study I worked on with colleagues and
students at Carnegie Mellon University, we found that CMU students, faculty and staff who
reported annoyance with the CMU password policy ended up choosing weaker passwords
than those who did not report annoyance. I can relate to this: I am not inclined to put in
much effort to come up with a strong password when I am suddenly prompted to change
my password while trying to log in so I can get my work done. While we don’t yet have a
controlled study demonstrating the impact of password expiration policies on user
behavior, there is quite a bit of evidence to suggest that these policies may be
counterproductive.

When should passwords be changed?

So, should you ever change your password? Well, sometimes. If you have reason to
believe your password has been stolen, you should change it, and make sure you change
it on all of your accounts where you use the same or a similar password. If you shared
your password with a friend, change it. If you saw someone looking over your shoulder as
you were typing your password, change it. If you think you might have just given your
password to a phishing website, change it. If your current password is weak, change it. If it
will make you feel better or if you just feel like it’s time for a change, then by all means go
ahead and change your password.

Regardless of why you are changing your password, choose a new password unrelated to
the old one and don’t reuse a password from another account. Under some circumstances
there may be other steps you should take as well to make sure your system or account
has not been compromised in a way that will render your password change ineffective.

Should organizations mandate regular password changes? The National Institute of

Standards and Technology (NIST) explained in a 2009 publication on enterprise password
management that while password expiration mechanisms are “beneficial for reducing the
impact of some password compromises,” they are “ineffective for others” and “often a
source of frustration to users.” They went on to encourage organizations to balance
security and usability needs, outlining some factors to consider. NIST emphasized that
other aspects of password policies may have greater benefits than mandatory expiration,
including requirements for password length and complexity, as well as use of slow hash
functions with well-chosen “salt” (a technique to make sure that if two users have the same
password they won’t look the same when hashed).

So, depending on your particular situation, there may be some good reasons to require
your users to change their passwords. However, it is important to assess the risks and
benefits for your organization, as well as alternative ways of increasing security. Research
suggests frequent mandatory expiration inconveniences and annoys users without as
much security benefit as previously thought, and may even cause some users to behave
less securely. Encouraging users to make the effort to create a strong password that they
will be able to use for a long time may be a better approach for many organizations,
especially when combined with slow hash functions, well-chosen salt, limiting login
attempts, and password length and complexity requirements. And the best choice –
particularly if your enterprise maintains sensitive data – may be to implement multi-factor
authentication.

Organizations should weigh the costs and benefits of mandatory password expiration and
consider making other changes to their password policies rather than forcing all users to
keep changing their passwords.

The author’s views are his or her own, and do not necessarily represent the views of
the Commission or any Commissioner.