Password rotation is dumb

Many organizations have policies requiring you to change your passwords every 90 days. These policies are dumb, and make security worse.

The following material should help you fight back against this nonsense. You don’t have to believe Paul Schreiber, but you should believe NIST, the FTC and the UK’s NSCS.

NIST

In 2016, the National Institute for Standards and Technology came out with a new set of password guidelines. The formal document is “NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management.”

§ 5.1.1.2 states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).

memorized secrets is NIST-speak for passwords.

Chester Wisniewski provides an excellent plain-English summary of all of NIST’s recommendations (not just password rotation).

NCSC

The UK’s Nation Cyber Security Center writes:

CESG now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords (described above) while doing little to increase the risk of long-term password exploitation. Attackers can often work out the new password, if they have the old one. And users, forced to change another password, will often choose a ‘weaker’ one that they won’t forget.

FTC

Lorrie Cranor, the US Federal Trade Commission’s Chief Technologist writes:

I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)

She has a formal academic paper on the topic, “Measuring Password Guessability for an Entire University.

Leave a comment

Your email address will not be published. Required fields are marked *