Takeaways from Microsoft’s announcement in May that it would be “Dropping the password-expiration policies that require periodic password changes” in baseline settings for Windows 10 and Windows Server:
First: The major security problem with passwords – the most major of the major problems – is not a failure to change passwords often enough. Rather, it is choosing weak passwords. Making passwords much harder for supercomputers (and humans, too) to guess – for example, requiring minimums of 11 characters, randomly-generated, using both upper- and lower-case letters, symbols and numbers – are much more “real-world security” (in Microsoft’s formulation). As Dan Goodin recently wrote in Ars Technica, “Even when users attempt to obfuscate their easy-to-remember passwords – say by adding letters or symbols to the words, or by substituting 0’s for the o’s or 1’s for L’s – hackers can use programming rules that modify the dictionary entries.”
Then again, 11-character minimums may be sound advice, but perhaps not too much complexity. John Bennett, Director of Security for Wikimedia Foundation, helpfully explained Wikimedia’s new password policy in a blog earlier this year. Bennett discussed how complexity, meant to counter the problem of hackability, itself creates new problems: “Complexity is the enemy of security. From a credentialing standpoint, it encourages very bad habits. When we add more complexity to credentials, it makes it harder to remember passwords and strengthens the temptations to reuse the same credentials on multiple sites”. Which in turn, exposes a user to multiple vulnerabilities from just a single breach.
Second, network and application policies that implement and enforce security practices like screening banned- or compromised-password lists, multi-factor authentication, and detection of password-guessing attacks are more directly responsive to the modern skills of bad actors who would seek to compromise security. Or as Aaron Margosis of Microsoft put it in the security configuration announcement, “if organizations haven’t implemented modern mitigations, how much protection will they really gain from password expiration?”
Third, as with requiring complexity, mandatory password changes (every 30 days, 90 days, etc.) can actually weaken, not strengthen, password security. As Goodin wrote in Ars Technica, forcing users to periodically change passwords “encourage[s] end users to choose weaker passwords than they otherwise would. A password that had been ‘P@$$w0rd1’ becomes ‘P@$$w0rd2’ and so on.” (This lesson might ring true to anyone who’s run up against the wall of “you must change your password” when hurriedly trying to access their email client and favorite applications.)
Fourth, auditors. Auditors. Auditors. Microsoft’s security baseline settings inevitably serve as proxies for data protection, and businesses rely heavily on its guidance when meeting compliance obligations. Microsoft recognized this in its announcement. “It is not unusual for organizations during audit to treat compliance numbers as more important than real-world security,” Margosis of Microsoft wrote. And an organization that can otherwise demonstrate strong security practices like those mentioned above might nonetheless get dinged in an audit for opting for 365 days when the baseline recommends 60 days.
Recognizing this, on the other hand, Microsoft seems to intend that its guidance be relied upon by compliance auditors, and therefore it acknowledges that it also has a responsibility to periodically update and improve that guidance. Updates to baseline settings in new releases (like those in the announcement for Windows 10 and Windows Server) are always in response to iterative learning between developers and users.
What these takeaways have in common: Human nature. “Complexity is the enemy of security”, wrote Bennett of Wikimedia, but to be accurate Bennett’s concern is more about human nature, not the hackability of a complex password. Complexity and randomness can make for good security if the password is not duplicated on multiple sites for multiple accounts. Apps like 1Password, LastPass and Dashlane make that practical if properly implemented and regularly engaged, although accomplishing even that still calls for a step up level of user discipline.
Add Comment