Password expiration is dead, long live your passwords

May was a momentous month, which marked a victory for sanity and
pragmatism over irrational paranoia. I’m obviously not talking
about politics. I’m talking about Microsoft finally — finally!
but credit to them for doing this nonetheless! —
removing the password expiration policies
from their Windows 10
security baseline.

Although NIST and others precede this and
deserve that credit, I think it’s worth taking a moment to
recognize this moment in time as truly a fundamental change in the

— SwiftOnSecurity (@SwiftOnSecurity)
May 31, 2019

Many enterprise-scale organizations (including TechCrunch’s
owner Verizon) require their users to change their passwords
regularly. This is a spectacularly counterproductive policy. To


Recent scientific research calls into question the value of many
long-standing password-security practices such as password
expiration policies, and points instead to better alternatives …
If a password is never stolen, there’s no need to expire it. And
if you have evidence that a password has been stolen, you would
presumably act immediately rather than wait for expiration to fix
the problem.

…If an organization has successfully implemented
banned-password lists, multi-factor authentication, detection of
password-guessing attacks, and detection of anomalous logon
attempts, do they need any periodic password expiration? And if
they haven’t implemented modern mitigations, how much protection
will they really gain from password expiration? …Periodic
password expiration is an ancient and obsolete mitigation of very
low value

If you have a password at such an organization, I recommend you
that blog post
to its system administrators. They will ignore
you at first, of course, because that’s what enterprise
administrators do, and because information security (like
transportation security) is too often an irrational one-way ratchet
because our culture of fear incentivizes security theater rather
than actual security — but they may grudgingly begin to accept
that the world has moved on.

Instead: Use a password manager like LastPass or 1Password.
(They have viable free tiers! You really have no excuse.) Use it to
eliminate or at least minimize password re-use across sites. Use
two-factor authentication wherever possible. Yes, even SMS
two-factor authentication, despite number-porting and SS7 attacks,
because it’s still better than one-factor authentication.

And please, if you work with code or data repositories, stop
checking your passwords and API keys into your repos. I’m the CTO
of a consultancy and you would be amazed how many times clients
come to us with this unfortunate setup. Repository access is not
fine-grained, repos are very easily copied and/or their copies
misplaced, and once you’ve checked in credentials they can be
annoyingly tricky to truly delete. Using even something as simple
as environment variables instead is a huge step up, and also makes
your life simpler in many ways when working across multiple

Perfect security doesn’t exist. World-class security is hard.
But decent security is generally quite accessible, if you
faithfully follow some basic rules. In order to do so, it’s best
to keep those rules to a minimum, and get rid of the ones that
don’t make sense. Password expiration is one of those. Goodbye to
it, and good riddance.

Source: FS – All Tech News 2
Password expiration is dead, long live your passwords