More About Passwords

Wolfgang Flamme wrote an article about why some companies enforce security policies that require users to change passwords frequently. He pointed to a Microsoft article that "explains" that changing passwords frequently improves security by reducing the amount of time available for attackers to guess an active password. Wolfgang correctly points out that if you change from one strong password to another at roughly the same time that an attack starts, the benefit of changing passwords is relatively small. He goes on to write, however "As an example, if 50% of all combinations have been probed then there's a 50% chance the attacker already has identified your password which leaves a 25% overall chance that a password change is for good at all.", but there's more to it than that.

A second reason for enforcing password change policies -- and I contend that it is the only real reason, as my analysis below will show -- is that it closes holes that have already been opened, so I would say that if a password is changed at the time when an attack has had enough time to check 50% of the possible password permutations, then 50% of the time this password change will close an open hole, and 25% of the time the previous password change will have prevented a hole from opening at all, so the policy would have been helpful in 75% of the cases.

By the way, the attack times that I gave in my earlier article were all average attack times, meaning that they allowed enough time to check 50% of the permutations, so if the attack generated guesses in random order one would expect 50% of all attacks to succeed in that amount of time. In general, organizations that require frequent password changes also require reasonably strong passwords. If an organization requires 8 character passwords consisting of lowercase letters and at least one digit, the crack time of the tool that I wrote about averages 2.6 years, meaning that it takes that long for the tool to test 50% of the permutations. A policy that requires password changes every six months would mean that the tool would never have a chance to attempt more than 10% of the permutations before a change took effect, so we can figure out the following:

• Over 2.5 years, the probability that the password will be guessed once is 0.1 + (0.9 * 0.1) * (0.9^2 * 0.1) + (0.9^3 * 0.1) * (0.9^4 * 0.1), which is 40.9%. This looks like an improvement over a 50% chance of guessing the password, but...

• There is the possibility that the password could be guessed multiple times over the 2.5 year period.

• In fact, given that there is a 10% chance that the password is guessed in any 6 month period, over 2.5 years there is still an overall 50% chance of successful attacks.

• The average duration, however, of the vulnerability created when a password is guessed will be 3 months.

• The expected period of vulnerability will therefore be 0.5 time 3 months, i.e., 6 weeks.

• Without the password change policy, the probability of successful attack is the same 50%, but the average duration of vulnerability is 15 months, so the expected period of vulnerability will be 30 weeks.

Thus, with or without the password change policy, the probability of a breach is the same; but the expected duration of vulnerability is much lower. That's the real benefit of the policy.

Is this sufficient justification for password change policies? In my opinion: No. Although we get there by different reasoning, I do agree with Wolfgang that password change policies are typically given a lot more credit than they are worth. Offsetting the decrease in the expected window of vulnerability is a human problem that I believe is much more worrisome than brute force attacks in the first place! If you're already requiring 8 character passwords consisting of mixed case letters and digits, the average brute-force guess time of 2 centuries gives slightly better than a 1% chance of success in an attack lasting 2.5 years. If you require frequent changes to passwords, it's highly probable that more than 1% of your users will resort to the unsafe practice of writing down their password on a post-it note somewhere in their office, on a card in their wallet or in their laptop case, etc. This is almost certainly a much bigger cause of breaches than any brute force tools. Plus, if you know where it is that a user keeps their password written down, enforced changes won't ever close the hole because the attacker will just go back and find the new password written down in the same place.