Executives, stop dumping user passwords once a month.
Password change day, office in Ensk, reconstruction, color
If this article did not make a dent in the space-time continuum, it is 2018 outside, and most large organizations still change passwords every 30-90 days. The subject of the fact that the forced constant change of passwords only reduces security, but it does not increase it in any way, has already been raised on Habré many times ( 1 , 2 , 3 ), but they usually discussed particular cases, and in the comments users actively shared their experience, how they protect their own accounts.
The fact that the bundle of conditional KeePass + token sprinkled with two-factor authentication is much more reliable than the conditional change of passwords every 30-90 days is understandable and without explanation. But as one commentator in past publications noted, often the initiative for such “effective” measures comes from the very top of the organization, and it is more expensive to argue with the CEO without worthy arguments. Therefore, I decided to try to expand the available, where the legs of such a common and at the same time ineffective practice grow, what alternatives exist to them and with what they are associated. Perhaps, after reading this article by some managers, it will be a little better to work in individual companies.
What is the danger of regular password changes?
The password itself is not a very strong security tool. That is why there are now on the market numerous means of two or even three-factor authentication, various tokens, flash drives and other tricks that strengthen the perimeter and reduce the likelihood of hacking and access to confidential data or account. One of the propagandized ways to “strengthen” this very perimeter is supposedly a regular change of the user's password, which, in theory, should protect against attack due to the database drain and so on. All these recommendations miss, first of all, the effect of template making, which I described in detail several years ago.
In short: the constant forced change of passwords leads to the development by a person of a template not only remembering the current password, but also its generation, which was described in scientific work by researchers from the United States back in 2010.
Instead of endlessly memorizing “strong passwords with variable case and special characters,” users begin to write them down or use templates. And it is impossible to attach a guard to each employee who checks the uniqueness of each new password.
Where will managers learn about changing passwords
If you torture a little search engine, you can find a lot of publications and even official documents on the topic of information security. Some of them smell like naphthalene, others - a little more vigorous and talk about the danger of “attacks from the inside” and social engineering during hacking. All of them are united by the item “periodic password change”, which most often begins with words like “do not forget about such a simple and effective way”.
In order not to be unfounded, I will give a couple of examples of how in the domestic literature (including educational literature!) And articles it is recommended to use a periodic change of passwords:
This is a screenshot from the CMD Infobase 2008 edition. In it, the authors recognize the weakness of the password as a means of protection and call for information security through regular forced replacement and a number of less useless measures, such as secure data transmission channels, for example.
Also, the network offers a lot of paid seminars and trainings for "managers and managers" to ensure the information security of the enterprise. Disregarding the IT segment and imagining that the director or owner of a company producing, for example, gas silicate blocks or other industrial products, was concerned with info-bezom, then most likely he will gather information from public sources or attend one of the “qualification” seminars.
I do not criticize at the root of such events, no. Of course, it also provides useful information about network behavior, restricting access rights, timely updating systems and administration. Perhaps they are taught to prescribe regulations and build simple information security perimeters based on the creation of a “mode” at the facility. However, with 100% certainty, it can be stated that the mantra we dislike, “force employees to change their password once every 30 days,” sounds regularly at such events.
If you think about it, you can make one simple conclusion: after all, this policy allows you to carry out the Windows administration tools. In fact, a regular change of passwords in the corporate network is a standard created many years ago with the best intentions, which continues to exist by inertia. If you dig a little deeper, you can see that regular password changes are widely used not only for Microsoft products that deliver this mechanic out of the box. The practice of changing passwords was successfully extrapolated to other products, for example, to the “zoo” of software 1C. In fact, administrators throughout the CIS for at least a decade have been raping the brain both for themselves and for accountants / salespeople, following the instructions of the “safety management” manual.
At the same time, there are specialists who call for abandoning regular change of passwords and propaganda of impossible-to-remember combinations, which have been successfully ignored for a year. For example, about two years ago , the head of the new national cybersecurity center at the headquarters of the United Kingdom, Martin Chiaran, spoke out against the constant change of complex passwords . He criticized the practice of constantly changing passwords and advice to use complex passwords for different services, comparing it with the monthly memorization of a 600-digit number. According to Chiaran, it is much safer to use either the password manager, or a single password that is difficult to break into but possible to memorize.
Is it possible to convince management?
Ways to convince the head, far from the modern world of IT is that regular password changes - wild game, not so much.
It should be understood that this practice has received such wide popularity for two reasons:
- This gives a false sense of security and closes for the manager the question of the “security” of the workstations of employees.
- It is relatively fast and free.
If from all sides, in the press, at seminars and so on, they have been saying for decades that changing the password is a good idea, it will be stored in the manager's memory. Coupled with the second point, when all the costs of “perimeter” deployment in the form of changing passwords are limited to the fact that all that is needed is to confuse the system administrator who will do everything in one day, everything becomes doubly more pleasant and simpler.
No middle management company will agree to purchase tokens or other physical means of protecting workstations when there is a free alternative in the form of forced change of passwords. The obvious scenario in this case is one: to explain the inconsistency of this practice and propose an alternative.
Why is a regular password change dangerous?
- Passwords start to write on pieces of paper / diaries / stick stickers on the monitor;
- passwords are template (several characters are changed at the beginning or end of the password);
- passwords are simplified too much, even if there is a minimum character limit.
You can feel that all the main threats posed by regular password changes relate to an internal violation of information security and perimeter, that is, lie in the plane of social engineering. A remote hacker from Nigeria will never look at the password, which is written on a piece of paper and hidden under the keyboard. But an accidental employee of a competitor or a pest from the team - easily.
The only real alternative for securing the internal perimeter is the use of the principle “one station - one person”, operational consulting and staff support in case of a workstation lockout by timeout, building access policies within the network itself and imposing responsibility for disclosing / passing the password from the account. The latter fits very nicely into the fashion of the past few years for any reason to sign with NDA employees and contractors, so let it be justified at least once.
Banking sector as an example to follow
Most managers in matters of information security within the office treat employees as company property, that is, they allegedly do not need support. However, if we consider the structure of the internal perimeter using the example of ensuring data security in the form of a “Service-Client” in banking structures, then everything becomes much clearer.
Consider: the PIN code from a bank card is only 4 characters, but no one shouts that it is “too short” and easy to break. It is trite because for plastic cards there is a limit on the number of attempts to enter, plus the client can quickly block his card if he suspected a data leak (scrimmer) or lost a card. And users actively use these opportunities, because they are interested in observing security measures and know that they will be able to quickly perform these operations.
That is, if your management is concerned about creating internal regulations and ensuring the real information security of the company, then it is worthwhile to inform you that all employees at this moment become “clients” of the IT service of the organization that will support them. Most often, this role falls on system administrators, who already ensure the smooth operation of the organization's IT systems. And the more serious the security measures, the greater the cost of staff and infrastructure. But for some reason it is customary to keep silent about this simple truth.
So what should I do?
One simple thought must be brought to the leadership: there is no free information security; for free, you can only create the appearance of activity in this direction. In all other cases, the costs of either a staff of system administrators increase (if there is a gap in the staff, then there will be downtime), who will respond quickly to user problems and will be able to build a competent system of rights and access, or purchase tokens that issue temporary passwords is required / access to the system.
A relatively free alternative to the above is only the master password that the user can remember and has no right to disclose + use the password manager to access the company's strategic software and databases.
What we, in fact, for almost a dozen years and repeat.
PS Below are polls for office workers. Freelancers and remote workers, please refrain for obvious reasons.
Only registered users can participate in the survey. Sign in , please.