It doesn’t matter what industry you are in: passwords are going to be a major player in daily lives no matter where you are. Despite the famous 2004 prediction that the password is dead, it’s still kicking around today – along with an entire list of requirements and password policies in place to make it as secure as possible for any given environment. Interestingly enough, recent studies have shown that some of those policies – namely mandatory password changes – may not be all that we had originally thought them to be.
Lorrie Faith Cranor, Chief Technologist at the Federal Trade Commission and Comp-Sci professor at Carnegie Mellon University, recently published a case study via the FTC blog noting that mandatory password changes may not be as effective as IT professionals think, and actually serve as little more than a minor hurtle to a typical modern day attacker.
Usability is King
Cranor cites two detailed research studies, as well as evidence put together through her own research at Carnegie Mellon, which supports the claim that mandatory password changes put a harmful strain on the end-users in an environment that can ultimately make their accounts less secure.
We’ve all been privy to the pains of mandatory password resets – on top of the literal dozens of passwords that we have to remember and use each day, we are then expected to come up with something strong and secure all over again. It can be a nightmare, honestly. In those situations, it is not unheard of to fall into the habit of setting a usable password in favor of a more highly secure one – and therein lies the issue: end-users are more inclined to take whichever path is more convenient at the risk of sacrificing security.
In her case-study, Cranor cites research to support this claim, noting that, “…we found that CMU students, faculty and staff who reported annoyance with the CMU password policy ended up choosing weaker passwords than those who did not report annoyance.” In cases where accounts are truly at risk, this practice serves to negate many of the security polices put in place – even if the password has to be changed frequently. It also serves as an interesting point in support of the fact that much end-user behavior is at least partially dependent on levels of frustration (referred to as annoyance).
As it happens, people are predictable. When forced to change passwords on a regular basis, not only do end-users tend more towards setting weaker passwords, their password changes are more likely to follow a predictable transformation. UNC researchers found that once one password was cracked for a specific user, attackers can guess 41% of accounts within 3 seconds per account. If we acknowledge that password fatigue and frustration is one of the root causes of this human error in judgment, resolutions can be readily implemented to overcome such potentially disastrous end-user behavior.
So What’s the Verdict?
This research on mandatory password changes has made one thing very clear: end-users seek out convenience and usability whenever they can, often with no regard to the potential fallout. With the increasing number of passwords required for daily access, adhering to a stringent policy for password changes has made end-users react in a way that is more manageable yet less secure – which can put an entire network at risk.
In order to provide a secure alternative, solutions like password managers or even Single Sign-on should be provided to end-users where available. Single Sign-on makes use of industry standard protocols (SAML, CAS, Shibboleth, Kerberos, etc.) in order to eliminate the need for users to enter multiple passwords or even respond to multiple login prompts. Additionally, an appropriate, fully integrated SSO solution can eliminate password fatigue and encourage end-users to create strong, complex passwords that are simple to manage and even recover when forgotten.
Of course, as Cranor noted in an interview with Wired, “You never have to explain why you’re making things more secure…removing that requirement would require a lot of explanation.” It’s like a coworker of mine frequently says, ‘Nobody ever got fired for buying IBM.,’ but in reality, we need to be able to adapt to the evolving nature of digital security – even if that means upending some previously established standards. More and more evidence is coming to light in regard to the need for mandatory password changes, and it seems that now is a good a time as any to take a good look at existing authentication security and see what can be done to increase security in a way that end-users will be able to manage.
Things are changing in the world of cyber security – if we are to keep from being left in the dust, our best practices need to keep changing too.