Should I force my users to change passwords every n days/weeks/month?
Question says it all. We are designing a system where security is very important. One of the ideas someone had was to force users to change passwords every 3 months. My take on this is that while its more secure because the password changes often it also forces our users to remember ever changing passwords and makes it more possible that they will just write it down somewhere to help remember.
In the same idea is it really good to force users to use a super hard to guess password. Force them to use ?%&% and uppercase lowercase letters. I know its quite the hassle to invent such a password and then remembering it.
Then again we do not want anyone using 12345.
So. Is there any whitepapers about this subject? Good practice?
I am talking about a website created with PHP. MySQL in a lamp environment if that changes anything.
I think I might be in the minority on this (based on my limited experience dealing with IT departments at school and work), but I think mandatory, time-based password change policies are worthless at best, and harmful at worst. People tend to be very bad at choosing good passwords and keeping them secret. Password expiration policies are designed to mitigate this by limiting the amount of time any one password can be cracked/social engineered/stolen; however, they fail to achieve this in practice, primarily because they force users to relearn their password on a continuous basis. By making it harder for user to commit their passwords to memory, you end up causing many of them to choose weaker passwords, and/or write their passwords down someplace where prying eyes can find them.
Furthermore, when forced to change their password on a regular basis, many users will choose passwords that follow a very recognizable pattern, such as [base string][digit]
. Let's say a user wants to use their cat's name Fluffy as their password. They might start out with a password of fluffy
, then change it to fluffy1
, fluffy2
, fluffy3
and so on. In this case, the policy doesn't really help security; even if the user chooses a more secure base string than fluffy
, and even if they keep their password safely memorized, the single suffix character that changes every few months does very little to mitigate cracking or social engineering attacks.
See also: Password Expiration Considered Harmful, a short article (not written by me) which I think gives a good introduction to these problems.
My large organization (15000+ users) implemented "password changes" every 120 days in the Fall of 2009. It's a huge IT headache and waste of support resources. Every time that 120 day window rolls around we have thousands of users forced to change their password....which many of them either do incorrectly and lock their account....or forget the next day. Our helpdesk gets swamped with password calls even though we tried to make as much of it as self-service as possible.
If you want your users/customers to hate you....and your front line IT staff to burn you in effigy every chance they get...implement password changes.
Password change policies are a checkbox in some IT Manager howto book somewhere...and it was written 15 years ago. No one in the trenches who actually implements or supports the policy will ever tell you it's a good idea.
I argued here for "pass phrases" instead of passwords....fat lot of good that did...that light at the end of the tunnel WAS an oncoming train. :)
A pass phrase is a long almost unguessable string that is very easy to remember like, "MyCatIsFromSpainAndICallHimElGato". Or maybe a line from a poem or song.
If you want to make it really difficult to crack....mess with the case, add some punctuation, change some ones to ells, ohs to zeros, a to @, etc... But keep it remember-able....that's the key. There's even ways to pick them so they flow easily from your fingers to the keyboard....so you're not bouncing all over between hands or with SHIFTs and weird punctuations.
So...
- Use long "pass phrases".
- Test them internally for strength.
- Implement "single sign-on" across your entire infrastructure so customers only have to use it once or twice a day.
- Never force them to change it.
- And educate, educate, educate on their proper use.
Matt
EDIT: 8/24/2011 XKCD agrees and said it better than I did.
No. My personal opinion is that it's unnecessary and even counter-productive. I ranted on my blog, but you can hunt that down if you're interested.
In short, it comes down to two reasons:
1. Forcing a user to constantly change their password leads to bad passwords.
There will be no shortage of anecdotal evidence on this, but it makes sense that if I'm forced to remember a new thing every x days, I'll make those things easy to remember, and probably related to each other.
Users are far more likely to choose "guessable" passwords like "Jan2010" or "Password05" if they know it'll have to change soon. Enforcing a strict policy on characters is likely to just result in an added exclamation mark or a fully-spelled name rather than an abbreviation. There's a big difference between a technically complex password and one that won't be guessed.
2. Forcing regular password changes doesn't prevent attacks, it only reduces risk (and not by much)
Think about it - if your password is guessed or discovered somehow, how long would it take an attacker to use that information? Put yourself in the shoes of the attacker. You've just discovered a password. Would you not log in and extract every bit of information you could straight away just in case someone finds out? In 30 days time, you've already got everything you want.
My recommendation:
- Force an exceedingly strict password policy (like 15 characters with upper, lower, numbers, and special characters, with no english words > 3 characters)
- Never make the user change their password. If they have to write the password on a piece of paper and keep it in their wallet, that's actually fine. People are good at securing pieces of paper, but not so good at remembering random strings of characters.
From a user's point of view, having to change my password is incredibly inconvenient. I absolutely hate having to do so, and will only begrudgingly use sites that I absolutely need if they require me to change my password.
There has also been some discussion about whether this is really a good practice, since some people end up having to write down their passwords in order to remember them.
You could implement one of those widgets that show people how strong (or weak) their password is while they're filling it in--I find those to be (sorta) useful, though I don't know if they actually result in stronger passwords.