Nothing is more annoying than to be required to change your password on a very regular basis. This type of logic harkens back to the days when all of our user ID password information was stored on UNIX systems in a plain text file. Today, we have a better understanding of exactly how passwords can remain secure. It is now known that this old adage of continually making updated changes on our passwords tends to decrease the level of security for a variety of reasons.
These reasons include:
- The Human Condition – When individuals are forced to make changes to their password, they tend to develop ineffective or lousy passwords that are based on how easy the word or phrase is to remember.
- The Predictability – Being forced to perform some security-related tasks on a predictable, regular basis every month or quarter provides the perfect gift to a hacker, attacker or cyber-criminal.
The Path of Least Resistance
Users are rarely intentionally lazy. However, most users will not give a second thought to adhering to the absolute minimum password standards. After all, why spend five or ten minutes constructing a password that they'll only get to keep for 30 days. The results are creations like p@ssw0rd01, then p@ssw0rd02. If someone cracks a password like "p@ssw0rd09" in the month of September, I'm pretty sure they'll have October's password too.
Hackers like Predictability
Predictability is known to be a gift to a cyber-criminal. They base their entire account hacking strategies around the understanding of human predictability. Hackers know that in time the user will grow tired of always having to change his or her password, and will fall back onto the simplicity of some kind of pattern. Also, the more passwords a user has to create, the more likely they are to use words they shouldn't like "dragon", "12345", or "michael". Malicious users will also learn their window to act upon stolen credentials, if they can figure out when they were last changed.
When it comes down to it, there doesn't seem to be a "perfect" solution here. We usually recommend a middle ground for most average security-level passwords. Allow the users to keep their passwords longer, but require a much higher standard for them. Instead of having a six or eight character minimum password that must be changed monthly, perhaps give them 90 days, but require an extra four characters in exchange.
If increasing password length is simply not an option, it could be time to look at deploying a two-factor authentication system. Our friends over at Yubico have developed a piece of hardware that brings two factor authentication down to one button press.