This whole week in Vegas it seems everywhere you look there's a security convention - while Black Hat might be the biggest, both Def Con and BsidesLV are overlapping a bit during this busy week. I visited BsidesLV yesterday, as well as its con-within-a-con PasswordsCon, up the Strip at the Tuscany suites. The panels at Bsides spanned a really wide range of topics, from detailed how-to-hack panels to more social programs, like setting up a 501(c)(3) non-profit. (You can see the schedule here: http://www.bsideslv.org/schedule/.)
One of the sessions I attended was by Bruce Marshall: "How Forced Password Expiration Affects Password Choice." He started by asking attendees if people had a strong opinion on password expiration policies, and most of the room already did. There are a lot of anecdotes about how password policies lead to sub-optimal user behaviors (writing down passwords on post-its, using simple password iterations e.g. password1, password2...) but Bruce actually presented researched statistics to back up what a lot of us already suspected:
- Many users will not act in their own best interest, even after a credential compromise -- EBay found that after their breach this year, only 85% of their actively purchasing customers had actually changed their password
- While 38% of people would rather do a household chore than change their password, another 38% said they wouldn't trust a website that didn't have password expiration policies -- as an audience member pointed out, it's possible there's a big overlap there. In other words, many users know they need password security, and they want to see basic password security measures from services they use, but laziness often wins!
- Frequent password expirations force sub-optimal user behavior (as I mentioned above), and the University of North Carolina studied the issue in 2010 and found 41% of new passwords generated after an expiration could be broken with less than 550 transforms. (Considering most password guessers can generate 10 *BILLION* guesses a second, 550 is nothing.)
- Bruce also found in his own studies that people will get by with the bare minimum on password length whenever they can -- 20% of users will generate a password that is the actual minimum character length
So what to do about it?
Bruce noted that for a small organization, a password expiration policy is a good "gap filler," meaning it's an easily-implemented and enabled control. And honestly, it can be better than nothing.
But to some degree, Bruce says, the practice is so entrenched and has gone unquestioned for so long that it has become a de-facto best practice, but it's time to re-examine the practice and try new methods. He notes that many organizations are making changes: Some are making the frequency of password changes much longer (a year or more) but requiring heftier, longer passwords.
Bruce also noted that better intrusion prevention and more robust profiles of user behavior will go a long way in making sure the person logging in to an account actually is who they say they are.
That's all from me for now - I'm off to BlackHat this morning. I’ll be tweeting from many of the sessions today from my handle @mvarmazis – and if you see me with the bright red backpack around the show floor, say hello!