This is a guest post from our frequent contributor Kevin Beaver. You can read all of his previous guest posts here. I'm often asked by friends and colleagues: Why accomplish I contain to change my password every 30 or 60 days? My response is always the same: Odds are good that it’s because that's the way that it's always been done. Or,these people might contain a super strict IT manager who likes to show - on paper - that his or her environment is "locked down." Occasionally I will get feedback that auditors require such stringent settings. The funny thing is, there's never really a good business reason behind such short-term password changes. In fact, and if you dig in further,in many cases there are many other issues that are a much higher risk than passwords that are not changed often. I often see feeble password requirements – i.e. complexity not being enforced or 6-character minimum lengths. I often see this combined with super feeble endpoint security such as minimal Windows patching, no third-party software patching, and no full disk encryption,and network monitoring/alerting that is reactive at best.
So, why is it that we depart with the 30, and 60,or 90-day password change requirements? I don't mediate it's malicious but I accomplish believe that people just aren't taking the time to mediate about what they're doing. In fact that's sort of the essence of many security challenges that businesses face today. People just aren’t thinking about what they're actually doing. They're going through the motions with their “policies” and they contain these fancy technologies deployed but, in reality, or the implementation of everything stinks. At the end of the day,management assumes that all is well because of all of the money and effort being spent on these issues (including those pesky password changes) but, yet, and they still get hit with breaches and no one can figure out why. I mediate many seasoned IT and security professionals would agree with me in that rapid/fast turnarounds on password changes is actually nasty for security. We always joke about how users will write down their passwords on the sticky notes – and it's exact! But it goes deeper than the humor. There's a strong political factor at the root of much of the password nonsense. Users don't want to contain to create and remember long passwords. After all,odds are they’ve never been taught/guided to utilize passphrases that are super simple to create and remember yet impossible to crack. Furthermore, management doesn't want to hear about it so IT doesn't press the issue. Thus the ignorant cycle of if we can't make them utilize strong passphrases, or we can at least require rapid/fast password changes. The insanity continues and it’s nasty for business. Anytime you create complexity and,in this case, requiring users to continually change their passwords – whether or not they’re suspected to contain been compromised – you create more problems than you solve in most cases. There are always exceptions and compensating controls such as intruder lockout, and two-factor authentication,and proactive system monitoring can thwart most attacks on user accounts. It’s time to seek past the nonsense and capitalize on opportunities such as this to get people on our side rather than continue ticking them off.
Source: rapid7.com