Fred Cohen &Associates
Specializing in Information Protection Since 1977

Managing Network Security

Managing Network Security

Change Your Password – Do Si Do


Introduction:

When I write an audit report, I generally want a basis against which to make judgements. I sometimes use well-established standards such as the GASSP or BS7799 and I sometimes like to call my conclusions "opinions based on experience and data in comparable industries" or some such thing, but most of the time, I prefer a more scientific basis.

For many years I have been seeking a scientific basis for the well-worn policy of changing passwords on a regular basis. Recently, I have come to believe that, except in some special cases, this is not a beneficial activity for information security and that it is devoid of a scientific basis.

Now I know that this goes against many of the standards we have seen published and that it may even be counter to much of the training many of us have received, but I hope to present a convincing viewpoint in this article. As always, I welcome counterpoint.


Do Si Do:

In a square dance, you expect to have the caller occasionally call out "change your partner", and as a dutiful dancer, you change partners. This typically happens 4 times in a dance – or some multiple of 4 times – with the end result of getting your partner back at the end of the dance. The objective is to have fun and meet new people – or something like that. So if the goal is to have variety, changing partners – or passwords – is probably a fine idea. But what if the goal is to improve the effectiveness of password-based protection. Is it beneficial to change passwords more often or not?

In order to answer this question, we have to look at a lot of other issues, so I will start with the usual reasons, presenting a reason and a counterpoint at a time:

 

So, at least based on these points, I conclude that the case for changing passwords periodically is a weak one – except in special cases that I will discuss later.


Benefits of not changing passwords:

I am generally an easy-going sort of person and, if there were no negatives associated with periodic password changing, I would probably just let it ride. I might write reports that said "while there is no published basis for this activity, it is generally believed to be useful and is not known to be harmful" or some such thing. Unfortunately, I have been forced to change passwords more than once in my career – last week in fact – and so I have come to find that there are indeed negatives associated with the activity. They are not world-shaking, but here are some of them nonetheless:

There are, no doubt, many other reasons for not changing passwords on a regular basis, but they are basically all related to the inconvenience of doing it and the reduction in protection resulting from it.


Special Cases:

As I commented earlier, there are some special cases when changing passwords – in some cases periodically - is a very good idea. Here are some selections:

While I am sure that are many other circumstances where it is prudent to change passwords periodically, it is not a "no-brainer". In order to establish that such a circumstance really exists, it is necessary to associate a credible and substantial risk (something resulting from a cause, a mechanism, and their impact) and demonstrate that periodically changing passwords substantially mitigates that risk.


Conclusions:

Don’t believe everything you hear or read in an article, a checklist, or even a standard. In this case, it looks like a lot of people have missed the mark.

But I could be wrong – and you could prove it to me. In the beginning, this was a search for a reasonable basis for making audit recommendations regarding password changing frequency – and it still is. Right now, unless there is a special circumstance, changing them even once in a while seems to me like a poor idea.


About the Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and the Managing Director of Fred Cohen & Associates. His team combines business and technical expertise to help make information technology work better.