Skip to content

Why do we annoy our users?

I assume that, with my audience being mainly Mac users, you are not familiar with Microsoft Security Assessment Tool, or MSAT. It’s basically a free tool for CIOs, CSOs and the like to perform security analyses. It presents two questionnaires, the first asking questions about your company’s IT infrastructure (“do you offer wireless access?”), the second asking about the company’s current security posture (“do you use WPA encryption?”). The end result is a report comparing the company’s risk exposure to the countermeasures in place, highlighting areas of weakness or overinvestment. The MSAT app itself isn’t too annoying.

Mostly. One bit is. Some of the questions are accompanied by information about the relevant threats, and industry practices that can help mitigate the appropriate threats. Information such as this:

In order to reduce the ability to 'brute-force' the credentials for privileged accounts, the passwords for such accounts should be changed regularly.

So, how does changing a password reduce the likelihood of a brute-force attack succeeding? Well, let’s think about it. The attacker has to choose a potential password to test. Obviously the attacker does not know your password a priori, or the attack wouldn’t be brute-force; so the guess is independent of your password. You don’t know what the attacker has, hasn’t, or will next test—all you know is that the attacker will exhaust all possible guesses given enough time. So your password is independent of the guess distribution.

Your password, and the attacker’s guess at your password, are independent. The probability that the attacker’s next guess is correct is the same even if you change your password first. Password expiration policies cannot possibly mitigate brute-force attacks.

So why do we enforce password expiration policies? Actually, that’s a very good question. Let’s say an attacker does gain your password.

OK, "an attacker does gain your password."

The window of opportunity to exploit this condition depends on the time for which the password is valid, right? Wrong: as soon as the attacker gains the password, he can install a back door, create another account or take other steps to ensure continued access. Changing the password post facto will defeat an attacker who isn’t thinking straight, but ultimately a more comprehensive response should be initiated.

So password expiration policies annoy our users, and don’t help anyone.

{ 2 } Comments

  1. Phil Champ | April 14, 2010 at 5:47 pm | Permalink

    The log in page for my Egg Money account has this helpful advice:

    “We recommend you regularly change your password to reduce the chance of someone getting your details and accessing your accounts.”

    They don’t enforce password expiration, thank goodness, but this has always baffled me. How does changing something reduce the chance of it being stolen?

  2. Simen | April 17, 2010 at 1:42 pm | Permalink

    Although I for the most part do agree with you, the reason why we change password at given intervals probably has to do with the fact that in some instances, the attacker might get hold of a file with ALL the password in encrypted form. This used to be the /etc/passwd file on many *nix systems. This file was (and still is) publicly readable on most systems. If you do get access to the system in any way, there is a good chance of getting the passwd file as well. After getting the passwd file, the attacker starts a brute force attack on all the passwords. The attacker has all the time in the world, and nobody would even know that he is doing an attack, as it is all happening on his local machine(s).

    To counter this form of attack, the user had to change the password at regular intervals. If the attacker found a password 3 months after he had acquired the passwd file, it does no god as the users have already changed the password several times (assuming 1 month intervals).

    That being said, the passwords are no longer stored in the /etc/passwd file, and access to the passwords are not quite as easy. This kind of attack is not completely gone, but it does not represent the same type of risk as it used to, and there are several reasons why it might be a good idea to abandon the practice altogether, or at the very least increase the interval between password changes.