If you don’t use sufficiently complex password, you don’t appropriately use Multi-Factor Authentication (“MFA”), you use the same password in multiple places, or you have any indication at all that your password has been disclosed, the rest of this article isn’t for you. Change your password, implement MFA, then come back and read the rest.
Recently we helped a large enterprise customer retire the requirement for typical users to change passwords on a 90-day cycle. The effort wasn’t as trivial as it sounds, but the result has been more than worth the effort.
If you do the same you may enjoy some great returns.
- A widely quoted Forrester metric of $70.00 per helpdesk driven reset. A medium sized enterprise is likely to have a monthly helpdesk volume relative to password issues of 700 or more. Saving roughs the customer savings in helpdesk calls alone to $470,000 a year.
- Helpdesk will be able to get more value out of existing headcount.
- User satisfaction will greatly increase. It has not been uncommon to hear users saying, “That is great,” and “wow!” when told they didn’t need to change their passwords regularly.
The idea of keeping password expirations very long or doing away with them all together isn’t anything new. However, to most security professionals it is still challenging a deeply held belief. Our biggest challenge was helping the CISO sell this idea to the business units and compliance.
Below is some ammunition and references you can use in your discussions. As always, Bridge is here to help you in this conversation and effort.
- You already have other controls in place. You should have MFA in place by now, especially for external access. Our more advanced customers are implementing newer techniques like adaptive authentication, EUBA, and geolocation. If you are implementing additional controls on-top of passwords, the added value of the password is incremental and the value of changing that password regularly is approaching zero-sum.
- You are working off old threat models. We live in the age of malware, phishing, and good old fashioned social engineering. While brute force still goes on, it is far more likely a password will be harvested in some other way, or the attack to which you fall prey is not even brought about by an exposed password at all.
- Brute force attacks against individual password are unlikely. An attacker trying to knock down your front door using a brute force password attack is nearly guaranteed to fail if you put in account lockout periods for x number of failed attempts. It isn’t feasible due to the time required which can extend into epochs and eons. Brute force against a captured hash is far more feasible, but you have MFA in place so don’t sweat that too much.
Below you will find a grid that allows you to calculate (roughly) the time taken to run half of all possible passwords for a given combination and computational power. Enjoy that.
- You aren’t alone in this effort. Some links have been provided at the end of this article but organizations such as NIST, Microsoft, and the FTC are all moving away from regular password changes.
At this point I should note, if you have compliance requirements for password changes you will need to deal with these very carefully. Alongside our customer, we sometimes need to meet with a certifying body to provide mathematical, logical, and industry practice arguments to get this approved as a [compensating] control.
The grid below illustrates the time it would take given relatively ideal conditions to traverse half the space of a given password complexity.
You can change the “Guesses per Second” to see what it does to the timeline.
Our Formula is: (((Combinations ^ Length)/Attempts per second) *.5) / Seconds in a Year