Eternal passwords

Thanks to a tip-off from a colleague on CISSPforum, I've been reading advice just published by CESG (one of several spooky UK government outfits) concerning fixed password lifetimes.

In short, the official advice is to make passwords eternal i.e. non-expiring. 

Encourage and make it easy for users to change their passwords if they feel their current passwords are weak or may have been compromised (e.g. shared, guessed, stolen in transit or hacked from storage) but don't force them to change their passwords simply because "it's time".


"It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis."

Having long advised clients against enforced password lifetimes, I challenge the assertion that it is perfectly sensible advice - longstanding, yes, but it has never been sensible. As far as I'm concerned, it is merely superstition or folklore based on misconceptions and cloudy thinking.  
  
Remembering lots of unique passwords is hard, so we humans tend to take shortcuts such as:
  • Re-using passwords with a predictable sequence on any one system and/or using the same password on multiple systems
  • Using passwords that are pathetically weak but easier to recall
  • Writing our passwords down (doh!)
  • Using obvious and hence easily-guessed rules to generate variant passwords on different systems, or obvious sequences for sequential passwords
Some of those weaknesses can be addressed by password parameters in the authentication systems, others through effective security awareness ... but forcing regular password changes exacerbates the problems with little benefit.  

Talking of the lack of benefit, password changes are costly. Users have to stop whatever they're doing, think of a new password, fire up the password-change function, enter their current and new passwords, and enter the new password again (both to cut down on typos and to practice remembering and entering it), and remember their new password. Sometimes they need several attempts to figure out (typically by trial and error since systems don't usually explain all their rules, at least not up-front) the particular combination and number of characters that the system will accept. Sometimes, they subsequently need to run the forgotten password routine as well because their new password is unfamiliar. They may well need to call the Help Desk, and hopefully they are forced to re-authenticate before their password is changed ... at which point they restart the change my password baloney.

All in all, it's a disruptive and costly process, made worse by the fact that users have been forced against their will to do it, for no good reason*

A more detailed CESG paper, referenced from the one cited above, aimed to offer "Advice for system owners responsible for determining password policy, advocating a dramatic simplification of the current approach at a system level". The advice is old-hat and hardly what I'd call 'dramatically' simple  Personally, I advocate password vaults, provided users choose long, strong passphrases with which to unlock the vault.  Since they only need remember the one, make it count.



* If you can explain lucidly why enforced password expiry (lifetimes) are a good idea, do please comment below. Seriously, I'd like to understand your reasoning. If your explanation is rational, fair enough. If you also take the trouble to explain things to your users when repeatedly forcing them to change their passwords, fantastic ...