All.Net

Sun Mar 1 11:30:48 PST 2015

Miscellaneous: Password changes: What is a rational policy for requiring password changes?

Options:

Option 1: Never change passwords.
Option 2: Change passwords when there is a specific reason to do so.
Option 3: Change passwords at convenient system changeover times.
Option 4: Change passwords at regular intervals.

Decision:

IF the mechanisms make password changes unmanageable and other mitigating controls can be put in place, THEN never change passwords,
OTHERWISE IF there are regulatory or contractual mandates requiring periodic changes, THEN change passwords at regular intervals,
OTHERWISE IF different people will be working on replacement systems or a regular change control window is used for updates and a password change is called for, THEN change passwords at convenient system changeover times,
OTHERWISE Change passwords when there is a specific reason to do so.

Basis:

Never change passwords.
"Never say never" may apply here. In some cases changing passwords may not reduce exposures, but these cases are rare. For example, for a physically secured system without external user access and where only authorized users have physical access to the location with the computer, password changes may be of little or no value.

Change passwords when there is a specific reason to do so.
Changing passwords whenever there is a specific reason to believe that there is an exposure is clearly a sensible idea. But if carried to extremes may be too expensive for the level of the exposure. This approach calls for knowing when an event has occurred and what systems may be affected by it. Examples of events causing obvious exposures include the movement of an employee from one job to another, a known computer break-in, or a change in key personnel. In each case, access in excess of that necessary for the users' job functions are caused by their ability to access accounts using known passwords. Figuring out which systems may be affected is somewhat complicated by interdependencies of systems and commonalities between systems. For example, if a file server password is exposed, it may affect all of the systems that use that file server. If the same user has access to multiple systems, they likely use the same or similar passwords on many of those systems and all of those systems are therefore exposed. There are many other similar examples.

Change passwords at convenient system changeover times.
There is nothing inherently wrong with this practice, and indeed all new systems should have all user passwords initially set to non-default values. But this does not address the other exposure issues and is thus of limited value.

Change passwords at regular intervals.
This is recommended by most security standards and thus widely accepted. There are, however, some problems with changing passwords at regular intervals. Some of the major problems include:

(a) People tend to have problems remembering the new passwords and write them down, which exposes the passwords further.
(b) The only advantage to this is that it reduces the average exposure time by half of the password change rate. A 6 month password change time leaves an average of 3 months of exposure if a password is guessed or stolen. Since it only takes seconds to minutes to install a back door that makes the password no longer necessary, the advantages are not very great.
(c) This is sometimes used as an alternative to removing user accounts from users who are no longer authorized to access systems, but it is far better to systematically remove those accounts and audit those removals than to depend on automated password change routines to do the job.
(d) While many systems support the automation of these changes, some do not, so the management overhead may be substantial for enforcing this system.

The basic reason to change a password is that the password in question may be known to an unauthorized user. The period of time between when an unauthorized user knows a password and when the password is changed represents a period of exposure to attack. The goal of password changes is to reduce this exposure. It is also important to consider that a fairly short exposure period can cause high consequences. In many cases, within seconds to minutes of an initial break-in, "back doors" are put in place to allow reentry to the system even if the passwords are changed. For this reason, simply changing passwords may not be an effective action when an exposure occurs.