Bruce Schneier had an interesting post where he attacked the commonplace practice of requiring regular password changes. Usual corporate IT policies require changes every 90 days, and in some high security environments, more frequently than that.
The basic issue with frequent password changes is that humans will create a system that makes it easy to remember the next iteration of the password. This makes it easier for attackers to try and guess what your next password is too.
For example, at Secure 360 last May I sat in a presentation on password cracking, and the presenter discussed what sort of trends he was seeing in the password cracking he was doing as part of a penetration test for client companies. One standout was the frequency that month and year passwords were appearing in the results. That’s right – the popular password this month is “August2016!” with the exclamation point adding the necessary “complexity.” But how complex is this when this is a known trend. So an attacker merely has to try a few month/year variations and at some point he will find a winner. The outstanding thing is that many of your coworkers have come up with the same plan and have the same password as you!
So the contrary idea – let people choose a password and keep it indefinitely – may actually produce more difficult to guess passwords. I know that I have used the same password for many of my online accounts for a long time without incident. Usually, I will change the password if I suspect there has been unauthorized access, or if the web service notifies me of unusual activity on the account, or when I read about a large password breach for a certain web site in the news.
Plus I have taken wholeheartedly to using a password manager (LastPass) that can create unique random passwords for me, and insert them into the sign-in box automatically. And let’s not forget two-factor authentication either. These solutions overcome many of the weaknesses inherent in user generated passwords.
Perhaps it is time to look at this requirement to corporate IT policy and replace it with something better.