Sunday, January 22, 2012

Password Change Frequency

(Picture of Cliff Stoll, linked from Berkeley website)
Professors are nice people. Seriously. They can be a challenge too, as I got to experience firsthand during my 3,5 hour lecture on password security at the NISNET winter school, 22-27 May 2011. Paranoid as I am, I even suspect two of them agreeing into a secret pact to have some fun on my behalf. ;-)

Note: I started writing this blog post in May 2011. Dropped some of my ideas, and have spent another 8 months to think, read and discuss the issues of password change frequencies. Now, at the time of publishing, I still haven't made up my mind. The "simple" question of How often should I change my passwords? isn't all that easy to answer.

First of all, I have the utmost respect for Professor Patrick Bours and Professor Christoph Busch, so no hard feelings in this blog post guys. I'll take this as a challenge, without doubt. ;-)

Here's what happened:
During my lecture, I said that in general I would recommend a password policy to require a minimum password length of 10 characters, and give users a 13 month change frequency as a reasonable tradeoff. I forgot to say that I've asked a lot of people if they would accept that, and almost everyone has considered that to be reasonable.

Somewhere else during my lecture, I showed password statistics based on data from a Windows domain, where LM as well as NTLM hashes were available. Naturally, LM hashes made things easy, so my statistics were based on having cracked 100% of the passwords.

I also said that I had successfully cracked a password of length 32 (or somewhere in that area), based on the NTLM hash and a user who had chosen a passphrase found on wikipedia with 2 digits applied to the end. A simple dictionary-hybrid attack using Cain overnight, using the popular wiki-wordlist by S├ębastien Raveau recovered the password.

This is where Professor Christoph Busch raised his hand for some questions:
First question was how long time it took me to crack that length 32 password. I said "I was sleeping at the time, but maybe 8 hours?". His response got stuck in my brain: 
"If your window of opportunity to crack a users password like this is - say 4 hours - why do you suggest a change frequency of 13 months, when it probably should be <4 hours?"
.... Being a password geek, waking up in the middle of the night with that question hammering your head is NOT pleasant at all. Damn you Christoph! ;-)

Now lets move to another part of the world, a long time ago during a penetration test, another guy came with some arguments regarding password change frequencies. Lets just call him "anonymous" for now, but he's yet another one of those guys that I really respect in terms of security knowledge. He simply said:
"If my password sufficiently strong in regard of length & complexity and stored with a reasonable hash algorithm, why would I ever need to change my password?"
Oh; and at his organisation at the time, they didn't do mandatory password change for anyone. EVER. In fact, he said that starting mandatory frequent password changes would be over his dead body. He's still alive (...), and now they do frequent password changes. :-) Partially based - I guess - on the fact his Windows password got cracked in minutes.

Now if you spend a couple of minutes thinking about reasons for why you should change one or more of your passwords on something that even resembles some short of frequency (days, months, years) or other reasons, you'll probably come up with quite a few:

  1. (Corporate) policy enforces it - can't convince them into anything else
  2. Some external experts told me/us to do so (insert name/organization/url here....:-))
  3. I don't believe in research.
  4. I haven't opened my eyes.
  5. Oops. Sorry. Got a little carried away there. :-)
No, I'm not going to reveal my stance on this topic quite yet. I need to read that last paper there thoroughly. Twice. 

However I would really like to hear your opinion: 
How often, if ever, should we change our passwords?

I would be really happy if you reply with references to research, blog posts, articles, papers or anything else that can shed some more light on this subject. Yes, you can link to your own blogs and opinions. :-)