Time to drop regular password changes

A mediocre bit of journalism in Forbes notes a security breach at NVIDIA, the video card company, that was notified to employees by an email from their Privacy Office last month.

The email is light on details about the breach, apparently, but it appears employee usernames and passwords may have been compromised in some manner.  For some reason, the journalist latched on to particular parts of the security awareness advice included in the email concerning being alert to phishing and care over passwords: maybe he has additional information about the incident ... or perhaps he simply doesn't understand what he's reporting.

According to the Forbes piece, NVIDIA's email includes the recommendation "Regularly change your passwords on both company and personal accounts. Avoid using the same password for more than one account".

From the information security perspective, I agree with not re-using passwords (although that has significant implications given the number of accounts that most of us currently maintain) but regular password changes can be counterproductive: it is hard enough to generate and remember one good password or passphrase, let alone a new one every so often. If employees are to use unique passwords on each system, the additional requirement to change them 'regularly' is onerous, especially as the reasons for doing so are, at best, obscure and perhaps erroneous.

'Regular' password changes have been part of the folklore in IT for decades, but I don't really understand the origin of the approach, nor why it continues today. I'm all in favour of irregular/one-off password changes, by which I mean people ought to be able and urged to change their passwords promptly if there is any hint of a breach. I guess one could argue that 'regular' password changes get them used to the mechanism so they can change their passwords more efficiently when they actually need to do so, in other words 'regularly' changing passwords may have some value as an exercise, a way to practice ... but at what cost?

'Regular' password changes do reduce the period during which someone who has somehow obtained or guessed a pasword can use the account, but password lifetimes are typically between one and three months: an identity thief can do a lot of damage in minutes, let alone days, weeks or months. If that is the intended effect of the control, it is very weak.

A better security control in that case is to tell users at login time when they last logged in: if someone else has been using the account, the time since last login can be a dead giveaway. This used to be a bog-standard feature on networked IT systems two decades ago, but is vanishingly rare today. 

Automated activity monitoring on the systems could, potentially, make the control even more effective: if a given user normally only logs in on work days during normal working hours from the LAN, but suddenly logs in out of hours or from a remote system, that change can be identified by the system and yellow flagged. If subsequent activities by the user on the same session turn out to be suspicious (e.g. unusual transactions, security events etc.), it may be appropriate to raise the red flag, block the account, and have someone contact the user to find out exactly what's going on. This is real time risk management, much more effective than 'regular' password changes ... but of course it is a complex and potentially costly and disruptive approach. It may be appropriate for relatively high-risk systems (e.g. banking, safety or missile-launch systems) but probably not for most. It's down to the owners of the systems to determine which controls are necessary to address the risks of concern. 'Regular' password changes may conceivably be appropriate but I'd be interested to see the justification in terms of the risks and the cost-effectiveness of the control.

There's loads more to say about passwords and user authentication in this month's security awareness module.