Do password expiry rules reducing the security of the system?

The problem

I regularly have a debate with my CTO which usually begins something like this ...

CTO: My password expired, that should never happen. 
Me : It's a security risk to never expire passwords. 
CTO: It's a security risk to force passwords to be reset because users have bad habits. 
Me : Yes but the security is in the user not the system, enforcing password expiry ensures the system is secure in the event of an unknown breach of the userbase.

This raises an interesting question that neither of us primarily not being a system administrator but being a position that we need to apply a policy to this effect don't really agree on what the right answer should be.

My standing

The system is more secure if you force all users to change their passwords in X amount of time where X is computed by determining the algorithm strength used to protect the password and an estimated time to break (with brute force) the raw value back in to the original password.

CTO's Standing

The act of forcing users to change their passwords all the time results in patterns / ****123 "like" patterns over time or users write passwords down meaning the users "bad habit" is more of a risk to the system than the data being compromised in some more technical manner (e.g. through brute forcing).

So I would like to know

Is there some way I can prove either way weather or not we should enforce a password reset policy based on some industry best practice?

OR

Is one of us just plain wrong?


Solution 1:

Your CTO is more right, but it's a more complex issue. NIST ( https://csrc.nist.gov/ ) is probably the "industry best practices" reference.

When it comes to passwords length, not complexity or frequent changes, is the way to go. ( https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/ ) They suggest phrashes or sentences rather than a single word.

You describe hashing passwords before storing them which is the logically better alternative than plain text. The problem is with multi-gpu systems tens to hundreds of hashes can be calculated and checked per second.

The links below discuss the changes. I'd suggest paying special attention to salting passwords before they're hashed.

https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

https://www.passwordping.com/surprising-new-password-guidelines-nist/

https://softwareengineering.stackexchange.com/questions/216998/updating-password-hashing-without-forcing-a-new-password-for-existing-users

Solution 2:

Yes, it increases security risks if you don't force passwords to expire.

As your CTO said, because we have bad habits, passwords will eventually leak one way or another, e.g. type the password in the user input field, leave it unencrypted in some application config file, etc.

Forcing users to change passwords reinforces security in terms of availability, a leaked password that expires in 15 days will force the attacker to take advantage of it in the next 2 weeks, whereas a permanent password will leave a door open to external danger.

If you see this from the attacker's point of view as well, it's pretty deterring to know you may be able to sniff a password after several weeks stealing data only to see that halfway that process all those passwords changed and you have to start over.

Sometimes the best way to make your system harder to crack isn't to make it more robust, but rather to avoid harm altogether by letting people know they'll waste their time.

To me it looks like you have a lazy CTO who doesn't want to come up with new passwords.

Solution 3:

As usual, it is not easy.

Currently (the situation was probably different when the question was asked initially) the time needed to brute force a "bad" password (for example a single dictionary word made "safe" by some usual substitution rules) is much shorter than any time span you'd consider for password expiry, at least if the database of password hashes is available.

On the other hand, cracking a "good" password (like 16 true random alphanumeric characters) is still beyond being cracked within a few years unless your attacker has a REAL BIG budget. And if you are up against big players, standard passwords are probably not an option for you anyway.

Many other issues, like the "bad user habits" already mentioned also apply.

Another thing to consider is that expiring passwords also lead to loss in productivity and additional costs/work for IT support.

So, IMHO, a better choice than meddling with passwords expiry nowadays may be to invest in hardware for password safes, biometric/smart card-based or other two-factor authentication methods...

But, usually you won't get an ultimate answer without hiring someone who does a very detailed analysis of your requirements, your risks and your possibilities.