Can Good Password Hygiene Be Enforced?
Do regular password changes actually make things worse? A recent article at CSO Online stipulates that it might.
A summary of that article would read:
Trust your users to not use the same passwords everywhere, because forcing them to use a different one periodically will backfire when they use similar passwords everywhere. When one of those is compromised, the odds of your users making bad password decisions is higher if you forced them to change yours periodically.
You cannot keep people from making bad decisions about passwords, any more than you can keep them from making bad decisions in other areas of their lives. My apologies in advance to those of you who have never had a hangover or a worrisome rash. What you CAN do is mitigate the consequences of bad behavior. These researchers point out that passwords are easy to crack if they’re similar to other cracked passwords. True, but they are making a risk calculation involving an assumption about human nature that is not backed up by fact: that good password practices turn into bad ones when you force password changes.
Until someone is able to prove that assertion – and good luck with that – encouraging passwords not to expire by policy is a far riskier move. Better that they be slightly different than identical. Your users are making bad decisions regarding passwords all the time, except for those who use a password manager, and for them the requirement to change a password periodically to something unique and complex is a trivial exercise.
I’m in agreement that passwords as we know them are fairly awful. Passwords were the best we could do until we got time-based one-time passwords, and now that we have them (Google Auth, Duo, SecureID, Authy, YubiKey, the list goes on) we are back to having security online that is better than security anywhere else in the world – if it’s actually used. Your computer can now have keys that are just as effective as your car’s, if not more so. And if you’re tired of carrying around a lot of keys, we have a solution for that too – called “single sign-on.” But the lazy way out is to trust end users with their own security, and so that’s what we do, until we don’t.