Your 90 day password policy is bad and you should feel bad

Enterprise Level IT is a concatenation of the worst government practices on the planet and shitty engineering. That is to say, there are some things that are allowed in the IT world that make zero sense at all. One of them happens to be this notion that passwords should be reset every 90 days. I don’t know which of the world’s systems administrators first came up with this policy, but I have an overwhelming suspicion that it was to cover up a mistake or flaw in their password database.

I’ve heard about 2 solvent reasoning behind the password change  theory:

1.) That in the event that a copy of your database (an archive) is compromised, the hash’s can’t be unraveled and the passwords used against you. 

This reason falls apart completely when you apply even the lightest amount of logic to it. The most obvious being that if the database that is storing your database (or AD server or whatever) has been compromised, you are fucked anyway. You have far more serious issues then the terrible excuses for passwords that your users came up with. In fact, that issue is so severe, you’re going to need to have people reset their password anyway, so putting it on a clock isn’t going to suddenly mean they won’t need to reset their password when you get compromised.

2.) That if someone is running a dictionary attack against you of some sort, or is attempting to brute force a password, changing the password makes your chances better

I don’t know who thought the math behind this worked out, but all that changing your password doesn’t suddenly make a brute force generator any less determined to get your password. As far as the brute force generator was concerned it has a random chance before and after the password change, the target goal is still 1 in x.

The real problem with the forced password change is the complete neglect of how human memory and motivation work. As a hint, your users do not care about your data. It’s not their responsibility to make it stay safe. They complied with your crazy password requirements the first time and didn’t write that crazy password down. Each time you ask them to come up with a new one they will make it easier and easier for an attacker to get into to help with their own memory. Think this is some kind of crazy ranting, well what do you think when Microsoft says it?

The fact of the matter is that the password change has no positive effect on security. In fact, it usually just causes the user to write the password down.

Let’s get something clear

If your user has written their password down, you have failed in every way as a systems administrator

In fact, a password safe really isn’t that much better, as it just became a single point of failure for what could be an entire array of servers and accounts. Instead of each server being individually protected, now all the attacker or clever social engineer needs is a single password and access to that database file. The continued problem is that in most companies, an entire group of individuals needs access to that database file in order to get to their various servers. From a social engineering standpoint, it’s easy pickings to dismantle an entire infrastructure by just knowing which point to attack.

The second a user writes down that password, they have just given every janitor, passerby, and guest access to their account. It is the ultimate chink in IT armor.

If you want actual security, draft a strict password policy from the get go. That way your user has one stable password that works for them, they won’t write it down, and it becomes almost a biometric form of identification. If you make a password policy good enough, your user will draft a singular, solid, strong, and acceptable password policy. If you are worried that isn’t enough then create a proper secondary authentication method, and I’m not talking about a secret question here (as that seems to be the running theory on how to do things).

No instead, let’s talk about Biometrics, Pass keys, random ints generated by something tied to the individual. It creates a double layer of protection where both tokens have to be present to authenticate.

Let’s also add that this whole Upper Case, Lower Case, Numbers, Special Characters. That’s all fine and dandy, but don’t you dare get pissy when my “The quick brown fox jumps over the lazy dog” is (in theory) thousands of times stronger than your 12 character amalgamation of crazy. Seriously, allowing spaces and asking for pass phrases (not passwords) is just as effective in a security sense. Now from a social engineering sense? Yes the pass phrase is usually going to be easier to guess because a user tends to take the easiest course of action. Any password brute force device worth its salt is going to check the “1337” versions of any given password, and that version is exactly what your user is going to put in (path of lease resistance).

So seriously, don’t just take the standard “These are the password policy’s of god, accept them as such”. It shows an evident lack of critical thought, and perhaps worse than that it shows a complete misunderstanding of your users. Always remember that your users are what make the company go, you just make the company go faster. You should realize that while they aren’t the best thing your new Server 2008 WSUS server should have to talk to, they are the only thing it gets to talk to. At the end of the day you write policies that generally kill their creativity and in their eyes take away freedom. In that way, you’re off to a bad start, and it’s never a bad idea to try to ease the wounds that flow in that relationship.

You are not a dictator of a company, you are a tool that no different than any other supporting column in that building. You are the steel support beam that was wood before you.

I know these analogies are growing tired, but I’m trying to drive home a point. No matter how well you know computers, you have to know the people using them better. And while my approach comes from a much less “the users are satan incarnate” approach, I plead with people to think about their users as people and not problems.

This entry was posted in Geeky and tagged , , , , , , . Bookmark the permalink.

One Response to Your 90 day password policy is bad and you should feel bad

  1. I’ve worked in IT for a while and I’ve heard loads of reasons for changing passwords and even agree with some of them. The main reason for it is to provide employment for junior sysadmins as they have a regular task of resetting passwords when people forget them – self preservation. In 1994, when I started my first IT job a secretary told me she just incremented a number at the end of her password each time she changed it. I do the same thing to this day. Of course she used to write down the new password on a post it because she still couldn’t remember what number she was on 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s