This is a guest post by Brian Focht, an attorney at Stiles Byrum & Horne in Charlotte and author of the highly regarded blog, The Cyber Advocate. Brian posts about important cybersecurity issues on which lawyers and other legal professionals should be focused. He can be reached at firstname.lastname@example.org.
Let's be honest, the life of an IT manager isn't easy. Charged with both keeping the company's computer systems up-and-running and keeping those same systems safe, it's a hefty job. Probably even more so in law firms.
So you have to forgive them when it comes to how they've decided (and you've allowed them) to set up your password policy... Because it's more than likely that it's actually putting your data at risk.
For a while now, we've been told what constitutes a good password policy: use strong passwords. Ok, great. But what does that actually mean? Usually, you come across language like this:
"Create difficult passwords and change them frequently. In addition, never use the same passwords across multiple services."
Basically, as the experts have told us, a strong password has five primary elements. It is:
1) Complex- more than just a simple word;
2) Made up of a combination of letters (upper & lower case), numbers, and symbols;
3) At least 12 characters (some researchers suggest that length is actually more important than complexity);
4) Unique - you're not using it elsewhere and you haven't used it before; and
5) Changed frequently.
There you go: the elements of a strong password. These would also be the elements of a good password policy then, right? In theory, yes. You minimize the potential that sharing of passwords by your employees (which happens a LOT) can cause any harm, and you ensure that credentials obtained by hackers and other bad actors are quickly rendered useless.
Oh, and using complex passwords makes you totally feel like your law firm is more secure. I mean, you can practically feel the cybersecurity.
But really, this practice is akin to taking your shoes off in the airport -- more for show than for legit security. In reality, by constantly requiring new passwords, you've actually undermined your whole password policy.
Why? Because people are people.
Requiring frequent changing of passwords can weaken your policy
For a long time, I've held strong suspicions that requiring passwords to be changed on a regular basis, in addition to causing even more irritation than passwords already do, leads to cutting corners and breaking other basic password rules.
Turns out, my gut reaction was right. Requiring frequent password changing causes your password security to be compromised in any of a number of ways. Consider...
1) Users are less likely to use strong passwords to begin with
2) Even if a user's password is strong, if forced to change regularly, most use a slight modification of the original password, minimizing the effectiveness of the change. This phenomenon is called "transformation": a simple manipulation of a password that usually involves a predictable change to one or more characters. Hackers have figured these out! Their programs factor in for "lookalikes," such as when the number "1" is changed to an exclamation point (!) or capital I (I).
3) Creating new passwords usually comes at the expense of the password's security because...
- New passwords may lack complexity, using words, phrases, or names that are easy to social engineer with public information
- Users will be more tempted to re-use passwords, the likelihood of which will only increase if users must regularly change more than one password.
- Frequent changes that are complex will be hard to remember, tempting employees to undermine security by writing down the password and leaving it in an accessible place, or saving passwords to an easy-to-access file that's likely unencrypted.
Science Agrees – Your Password Policy is Compromised
Still not convinced? Well, how about some science? The chief technologist of the FTC, Lorrie Cranor, recently wrote that:
“Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely.”
“Researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit—probably not enough to offset the inconvenience to users.”
Cranor further explained:
“By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like "tarheels#1", for instance (excluding the quotation marks) frequently became "tArheels#1" after the first change, "taRheels#1" on the second change and so on. Or it might be changed to "tarheels#11" on the first change and "tarheels#111" on the second. Another common technique was to substitute a digit to make it "tarheels#2", "tarheels#3", and so on.”
And she concluded:
“[People] tended to create passwords that followed predictable patterns, called ‘transformations,’ such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).”
Is Your Password Policy Simply About Feeling More Secure?
So hopefully we now agree: reflexively requiring password changes is dumb. Because...science. But if IT people have known requiring frequent password changes to be relatively ineffective, why haven't they changed things? Well, it turns out IT managers aren't immune from external pressure and the need to appear strong. According to Cranor:
“People have told me, ‘If I were to do something that looks like I was watering down my organization’s security policy,’ people are going to say, ‘Why are you going soft on security here?’ You never have to explain why you’re making things more secure… Removing that requirement would require a lot of explanation.”
Don’t Go Crazy: Changing Passwords Still Has Its Place
Feeling cheated? Ready to throw your password policy out with the bathwater? Or, perhaps, taking the more measured and reasonable approach of just eliminating the requirement to change passwords? Well, consider all your options first.
Think about who you're addressing with your policy – your employees! The National Institute of Standards and Technology (NIST) explained in a 2009 publication on enterprise password management that, while password expiration mechanisms can be “beneficial for reducing the impact of some password compromises,” they are “ineffective for others” and “often a source of frustration to users.”
This is not to say that changing passwords is always a bad idea. There is a reason why changing passwords became part of the “strong password” cannon: when done properly, they really improve your security.
Here’s a helpful list of times when you should require employees to change passwords:
- A password was stolen
- A password was shared, even within your office
- You have reason to believe an account was compromised
- An employee leaves the company
When done right, changing passwords helps boost security. But since it’s so hard to get right when you're dealing with a group of people who are generally not technically savvy, implement multi-factor authentication and password managers.
It’s certainly better than all of your employees rotating between “12345,” “54321, and “password” as the keys to access all of your clients’ confidential data.