| |
Password Behavior Research
"The Information Security Efficacy
of Password Aging Policies"
|
|
As of this writing in 2008Q1, generally accepted practice for logon password security includes:
Uniqueness:
|
Each user must have a unique UserID::Password combination for
system(s) access.
|
Secrecy:
|
A user must not deliberately reveal the user’s password to anyone.
|
Complexity:
|
Passwords must include a combination of some or all of lower case, upper case, numeric, and punctuation characters.
|
Length:
|
Passwords must include at least
“L” characters.
|
Guessing:
|
After G number of guesses at a given Password, that account is locked out, pending
SysAdm intervention.
|
Aging:
|
Passwords expire and Users must change them every X days.
|
Let’s examine the last practice, Aging, by asking a few non-rhetorical questions.
 |
Do you have to change your
password(s) every 30 / 45 / 60 days?
|
|
Do you know why this is necessary?
|
|
Is this a frustrating,
time-consuming requirement?
|
|
What do you do to remember the new
password(s)?
|
|
Does password Aging make your systems more secure?
|
Working with our security and compliance clients, we noticed that, virtually universally, the answers to these questions were:
|
“Yes, I have to change my password every 90 (or less) days.”
|
|
“Other than complying with the IT Policy, I have no idea why.”
|
|
“Yes, this is very annoying and frustrating.”
|
|
a.) “I write them on a sticky note and hide that in my cubicle.” Or
b.) “I use a formula that just increments a couple of characters.”
|
|
“I doubt that password Aging makes us any more secure.”
|
We (Hollis) recognized that our observations were unscientifically empirical, but if they were accurate, and could be shown to be accurate, this could lead to a new “conventional wisdom” that would save our clients considerable
cost, effort, and frustration.
At the 2000 PDA / FDA Joint Conference, we presented the postulate that,
since Password Aging is motivating people to write down their passwords, it
might have the net effect of lowering overall information security, and
therefore might not be a good idea. The presentation was well received, and session attendees generally agreed that
formal research into this subject was warranted.
Based upon this feedback, we started a project to research the “Security Efficacy of Password Aging” question. We designed a survey and distributed it at pharmaceutical industry computer validation conferences during the interval from Q32002 through Q12003.
We presented our results at the 2003 PDA / FDA Joint Conference. Again, the session attendees were very interested in the results, and encouraged further research.
The charted results of that research are presented here.
Summarizing our results:
|
A large percentage (at least 33%) of the respondents,
all of whom had IT Compliance, Quality, or Security as a major, if not
primary, job
function, admitted to non-secure password behaviors.
We defined, and the survey
queried for, "bad" behaviors as any of:
- Writing passwords down,
- Revealing passwords,
- Using others’ passwords,
- Using password
algorithms.
|
|
There was a weak correlation between the number of passwords a given User had and non-secure behavior.
|
|
There was a strong correlation between the frequency of forced change and non-secure password behaviors.
|
|
The survey instrument failed to gather sufficient detail on change frequencies, particularly in the +90-day region, and the analysis did not include cross-product effects.
|
|
When considered as a screening study, the research was sufficiently compelling to justify a more rigorous examination of password behaviors.
|
|
