Requiring users to change passwords periodically is established IT dogma. For a long time I’ve suspected that the periodic forced changes that have become de rigueur for modern enterprises are actually counterproductive. Until now however, there has been little serious research into the issue, and I have been unable to intelligently defend my position. I just resort to vague hand-waving arguments about frustrating users and encouraging bad behavior involving yellow sticky notes.
Last year, Yinqian Zhang, Fabian Monrose, and Michael K. Reiter, at the University of North Carolina at Chapel Hill conducted the first large-scale study of the success of password expiration as a security strategy. They report their findings in The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. It’s a good read. They propose an algorithm for guessing passwords based on having cracked a previous password from the same user. They used a data set of 51,141 MD5 password hashes which represented from 4 to 15 passwords for some 10,374 users over a five year period. Overall, among the 7,936 users for which they cracked at least one password, they broke all the passwords belonging to 54% of the users, and broke at least half in 90% of the cases. Their results are impressive: On average, 41% of passwords can be broken from an old password in under 3 seconds.
They conclude: “We believe our study calls into question the continued use of expiration and, in the longer term, provides one more piece of evidence to facilitate a move away from passwords altogether.”
; ?>/wp-content/themes/header_images/CC-BY-SA88x31.png)
Copyright © 2008-2013 Richard A. Milewski
17% is indeed a lot lower, but the context and specifics matter:
“…at least 41% of passwords can be broken offline from previous pass- words for the same accounts in a matter of seconds, and five online password guesses in expectation suffices to break 17% of accounts. As we expand our consideration to other types of transform trees, we would not be surprised to see these success rates jump significantly.”
5 guesses is not very much at all, and that’s a max (the average # of guesses is not stated, but must be lower). It would be interesting to know how the success rate changes as the number of guesses goes up, specially with the variations to the algorithm they refer to.
A few points to throw out there:
The statistic of “41% of passwords can be broken” is for offline attacks. In a real world scenario this would imply that the attacker has obtained the first password and then obtained the password hashes in order to execute the offline attack.
When considering an online attack for the second attack the success rate drops to 17% (see page 9 of report). This can be associated to brute force prevention techniques for online attacks.
To further reduce the 17% to an even lower success rate the password change could implement controls to ensure the new password is significantly different than the last. This of course is even less enjoyable for the user but results in more security.
In the end, its a trade off between usability and security and moreover its all about risk management. Depending upon the particular system and the impact of compromise certain controls are merited.
True, but as they point out in the paper, implementing controls to ensure that the new password is significantly different from the last often results in passwords being rejected for reasons that are difficult, if not impossible to convey to the user in any meaningful way. “Too similar” is a pretty vague concept, and to be effective, this policy would require comparing the new password to all previous passwords, not just the most recent one. Can you describe an approach to implement this that wouldn’t send hoards of users scrambling to find their pads of yellow stick notes?
“Can you describe an approach to implement this that wouldn’t send hoards of users scrambling to find their pads of yellow stick notes?”
This isn’t something that should be used for any random website of limited value. But, for a website of high value and a user that has elevated access, it is worthwhile. How would a privileged user manage their credentials? At this point these users should be using encrypted password management software (example: password safe). Here they can store strong random passwords that are unique to every site.
Again, this isn’t for everyone or all sites. But for high value sites and privileged users, this is often the necessary security controls to protect the site/account.
[...] term, supplies one more chunk of indication to assist a move afar from passwords altogether.”Password Storage – Google Weblog Search by dubh Premiumpassword.us Free rapidshare premium password, free hotfile premium password, free [...]
@Wladimir – likewise in my company, but changing every 7 weeks rather than 3 months. And so I end up with one password with a dozen variants – hold down ‘shift’ for the first 4 characters, or the second 4, or every alternating character, or alternating pairs of characters, that sort of thing. Sooner or later, I’ll move on to the same password backwards, and the various shifted permutations of that. Or just get sick of it, and go with the original password with the current month appended (P@ssw0rd01, P@ssw0rd02, etc).
Not exactly what the security people are trying to achieve, but works for me…
I’d rather not have access to sensitive data with my default password. Therefore, I only put myself at risk. I am not as conscientious as you, Asa.
Passwords are not safe in general. We should be using certs or something better, which is how we push code to Mozilla.
[...] This post was mentioned on Twitter by Planet Mozilla, bazzargh. bazzargh said: Expiration doesn't work:"41% of passwords can be broken from an old password in under 3s" http://bit.ly/eUcA8Y [...]
Thanks, nice to see my suspicions confirmed. A company I previously worked for required changing the password every three months – yet it takes me a month to get used to a new password, going though that procedure every three months was plainly ridiculous. Not to mention that coming up with an entirely new, strong and unique password that I could remember every few months simply isn’t something I am capable of. Yes, I could use some password storage application and generate random password – but that won’t help much if that password storage is compromised.
That seems to say a lot more about the intentions and compliance of the people responsible for the passwords than it does the program of password updating. I know that I’m a likely candidate for spearfishing or other targeted attacks because I work on a high profile software product that’s distributed to hundreds of millions of users and I take that responsibility seriously. I could, for example, just rotate between foop1, foopy2, foopy3, etc., but I know that would mean unnecessarily putting hundreds of millions of Firefox users at risk and so I don’t do that. I actually come up with a genuinely new password/passphrase every time it comes due to change.
Now most of the people in that study probably don’t have any good reason to rotate passwords, or care much about security at all. Perhaps the best solution to this problem, then, is to not require serious attention to passwords or security in companies or among groups where it just doesn’t matter that much. But for my own piece of mind, I’ll have my own calendar reminders set up regardless of policy because I couldn’t bear the thought of having my account used to compromise so many innocent people.
Asa–I commend you and agree with you about the responsibility we have. However, it’s important to recognize that most users out there don’t think like that, and although we can and should evangelize good behavior, it’s an uphill battle.
In other words, I think it’s perfectly valid to measure success rates of password guessing taking user behavior as constant, rather than dismissing the data because users should be better-behaved anyway (even though we agree that they should be).
An interesting follow-up study would be to attempt to measure changes in the success rate of cracking subsequent passwords after a sustained evangelism campaign, and under different forced or voluntary password rotation regimes. I suspect that only a hardcore few will continue to create brand new strong passwords after the first few rotations.