Never Change Your Password Again! It’s A Bad Security Advice

I posted the message below on Facebook. The date was Dec 18,2018. And the time was 8:53AM.

I had a looming exams them. That was why I Said “More on that later”

Now that exams is over, and I'm anxiously waiting for my Data Structure resit date, I think I can fool around with impunity.

Oh yes, “I-wrote-my-wrote, and I-know-what-I-wrote. I know I won't cross the HOLY borderline“. So I'm anxiously waiting for my resit date.

Data structure is an evil spirit in computer science, too stubborn to be cast out with “Obinim Sticker”

Now, back to the password thing.
“Never change your password again” is strange and seems very radical. I know. I was very surprised when I first saw it back 2016.

The “best practice” we've known so far is to change it regularly. Every 30, 60 or 90 or 120 days. And sometimes if you don't even do, Mr Computer or whatever system you using will log you out completely.

It's a Do-Before-Complain philosophy

Like Martin Luther King's said, in his “I have a dream speech of August 28 1963”. “Now is the time“.

Yes, “Now is the time” to face that Password Advice head on!

First of all, why are we told to change our passwords regularly?

Short Answer: Because Mr Bill Burr said so.

Full stop. Kwasia gyina. End of story.
But if you “Ask for more”, then please don't gyina, read on to know why Mr Burr said so.

Yes, the reason to change password often is based on advice Mr Bill Burr gave back 2003 in the document he authored – “NIST Special Publication 800-63”. He was a middle level manager then.

NIST = National Institute of Standards and Technology, USA

In that document is the advice to:
1. Change password regularly.
2. Use Capital letter, Small letter, and special characters. Password like [I<3Mw$2M] is therefore better and stronger than the password [I love my waakye seller too much] written in one word.

Mr Burr's document became the Go-TO (a sort of Hammurabi Code of passwords) guide for federal agencies, universities, large companies, mobile phone companies, websites and everywhere that password policy is required.

If a document is endorsed in USA, which other country can think other wise. So the world picked it up.

The whole idea behind regular password change is the theory that:

Changing passwords frequently narrows the window within which an account is usable to an attacker before he has to take additional steps to maintain access. … Password expiration does not offer any benefit when an attacker wants to do all of the damage that he's going to do right now. It does offer a benefit when the attacker intends to continue accessing a system for an extended period of time.

— The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis, 2010

All that the above brofotintin is saying is:
“Change your password regularly so in case someone has it, he won't be able to access your account after 3 months or 6 months”.

Burr's advice has resulted to us seeing things like this when creating email account.

Or this:

You will also see something like this in Windows XP.

And this in Windows 7

Unfortunately, same advice was implemented in windows 10

And on mac

In fact, Burr's advice is what every institution is implementing, knowingly or unknowingly .

This is what Bruce Schneier has to say about Change Password regularly advice

At least, that's the traditional theory. It assumes a passive attacker, one who will eavesdrop over time without alerting you that he's there. In many cases today, though, that assumption no longer holds. An attacker who gets the password to your bank account by guessing or stealing it isn't going to eavesdrop. He's going to transfer money out of your account — and then you're going to notice. In this case, it doesn't make a lot of sense to change your password regularly — but it's vital to change it immediately after the fraud occurs.

Someone committing espionage in a private network is more likely to be stealthy. But he's also not likely to rely on the user credential he guessed and stole; he's going to install backdoor access or create his own account. Here again, forcing network users to regularly change their passwords is less important than forcing everyone to change their passwords immediately after the spy is detected and removed — you don't want him getting in again.

Now, to rewrite what Schneier said in English:
“If someone gets access to your password. S/he will straight away do his/her bad thing. If the person want's to come back again, the person will install a backdoor“.

This is Bruce's profile, in case scratching your heard, saying to yourself “Bruce no koraa )ne hwan”

And you can read his full article here

In fact, Bruce is not alone on this. There have been many serious studies on password changes.

“Changing password often doesn't make us any more secure” is mostly the conclusion.

These two studies are worth mentioning

1. The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. By researchers at the University of North Carolina (UNC) at Chapel Hill [2009-2010]. They used about 10,000 old accounts of their university staff and students. With each account, they had 4 to 15 previous passwords used. So in all, they had over 50,000 passwords to deal with. It took them several months, but they were able to crack about 60% of the accounts. Then they developed a guessing formula based on the password they cracked. Below is what their guessing formula was able to do, according to Lorrie Cranor

   The UNC researchers found that for 17% of the accounts they studied, knowing a user's previous password allowed them to guess their next password in fewer than 5 guesses. An attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user's password may be able to guess the user's new password fairly easily.

2. More recently, researchers at Carleton University wrote a paper in which they developed a quantitative measure of the impact of password expiration policies. The link of the study is here

Below is Lorrie Cranor's Picture. She argues against changing password regularly

The dress she is wearing contains 500 most used passwords

Below is what Sheikh Wikipedia has to say about Lorrie Cranor's

Enough of Lorrie Cranor, let's ask ourselves,

Should organizations still mandate regular password changes?

The National Institute of Standards and Technology (NIST), the same Organization Bill Burr worked for explained in a 2009 publication on Enterprise Password Management that while password expiration mechanisms are “beneficial for reducing the impact of some password compromises,” they are “ineffective for others” and “often a source of frustration to users.”

That is true paa. Changing password often is very frustrating, and IT Guys always blame us for writing them in our dairies.

1. How do you expect me to memorize something that I will definitely change in 3 months time.
2. Why should I invest so much thinking into getting something that will expire in 3 months time?
3. Why blame me for NOT being able to memorize something that should contain Capital Letter, Small Letter and Special Character? Something like I<3Mw$2M. And you think “me na mab)n“?

The funny thing is, even the IT guys are not able to memorize all the passwords they have. They turn to use something called Password Managers. In short, using password manager means you are putting all your passwords into one big file, and given that file a master password. You will then memorize only the master password.

The Average UK guy has about 22 online accounts. By the password policy, that means each has 22 passwords in their mind. Is that rational?

I have no data on Ghana, but I think the average Ghanaian should have about 10 online accounts.

I have over 100 online accounts, each with unique password. How can I memorize all these passwords? How can I change all these 100 passwords every 3 months or 6 months.

So the first problem with Burr's advice is, IT'S NOT PRACTICAL ANYMORE.

Fast forward; this is what Mr Burr had to say in 2017, during an interview with Wall Street Journal.

“Much of what I did I now regret”

Yes, that he regrets for setting those password rules back 2003. He's retired now, at 72.

Well, we can tell him to go and sin no more but unfortunately, the harm is already done. People spend over 1,300 years of time daily typing password, according to Cormac Herley, a principal researcher at Microsoft Corp.

This time includes password resetting.
Looks like Burr even wonder why he set those rules in the first place.

Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Burr said

To me what is most fascinating is, his guidelines was not based on any real research. He tried validating his guidelines with real data before publishing but it didn't work.

He requested for Password Dataset from NIST Administrators to analyze against his guidelines but was denied, citing privacy concerns. “Ah, wagyi mi anaa?“, he was told

“They were appalled I even asked,” Mr. Burr said.

And he was under pressure to publish it too, so he published it, using someone 1980 document as a guide.

The NIST Special Publication 800-63 guideline got a thorough rewrite two years ago. Paul Grassi, an NIST Standards and Technology Adviser, the leader of the review group said:

“We thought at the outset the document would require only a light edit. We ended up starting from scratch”

NOTE:

1. “Reset Password Regularly” is taken out completely
2. “Use Capital, Small, Special Character” is also taken out completely

In short, all I want to say is, feel free to use your password. Never change it (unless you are ISISed to do so).

The only time you must change your password is:

1. If you feel your account has being compromise, change it
2. If you have ever shared your password with someone before, change it immediately after reading this post. And make sure you go and sin no more.
3. If someone has watch over your shoulder for long whiles you type your password, change it.
4. If your current password is weak, change it.

Going forward. what forms good password?
According to the Microsoft Password guideline. Below are the current industry guidelines. [The advice is for those with Microsoft related accounts. But all the major industry players are given same advice]

Advice to Administrators:

1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).
2. Eliminate character-composition requirements.
3. Eliminate mandatory periodic password resets for user accounts.
4. Ban common passwords, to keep the most vulnerable passwords out of your system.
5. Educate your users not to re-use their password for non-work-related purposes.
6. Enforce registration for multi-factor authentication.
7. Enable risk based multi-factor authentication challenges.

According to the cartoonist Randall Munroe's calculation,it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The passwordTr0ub4dor&3—a typical example of a password using Mr. Burr's old rules, could be cracked in three days.

Mr Munore's calculation has been verified by security specialist.

Advice for Users:

1. Create a unique password for your accounts
2. Keep your security info up to date
3. Watch for suspicious activity
4. Turn on two-step verification
5. Keep your operating system, browser, and other software up to date
6. Be careful of suspicious emails and websites
7. Install an antivirus program on your computer

Are we going to live forever with password?
No Please
The IT industry is gradually shifting away from Password.

The new technology they are looking at is TO MAKE YOU YOURSELF THE PASSWORD.

That resulted in the formation of FIDO (Fast IDentity Online) Alliance, a nonprofit consortium of industry leaders. More than 250 cross-industry, global leader member organizations belong to the FIDO Alliance including Intel, Google, Samsung, Qualcomm, Visa, PayPal, eBay, Bank of America, MasterCard, American Express and Verizon. Microsoft is on the alliance's board of directors.

A typical implementation of FIDO specification is the Windows Hello on Windows 10

Well, we've come to the end of the road.

1. Feel free to argue against or for at the comment section.
2. How is your institution's password policy like. Do you even have one?
3. How often do you change your password. For my regular emails, the last time I did was about 5 years ago.
4. How do you handle so much passwords.
5. How many online accounts do you handle, roughly.

Let's share the experience at the comment section.

Needless to say, I'm Kaunda. I just love the Internet . I have a couple of Youtube vidoes on Digital Entrepreneurship, just in case someone is interested. I also have this Channel on Programming (C++)

We can also get in touch on 0234809010