I find it very interesting when an article debunks itself while talking about debunking myths. If you have not read the recent Network World article titled “13 Security Myths You’ll Hear – But Should You Believe?” you can read it here:
While most of the “myths” are very obvious to anyone who has worked in computer support for very long, one of them I found quite interesting. The third “myth” referenced in the article is, “Regular expiration (typically every 90 days) strengthens password systems.” First, while I completely disagree that this is a myth taken within the context of a complete security system including proper user training, it appears that the article itself debunks the debunking of this “myth”. Note the following from myth number 6, “He adds that while 30-day expiration might be good advice for some high-risk environments, it often is not the best policy because such a short period of time tends to induce users to develop predictable patterns or otherwise decrease the effectiveness of their passwords. A length of between 90 to 120 days is more realistic, he says.”
Now here’s the reality of it from my perspective. If you never change passwords, an internal employee can brute passwords for months and even years until he gains access to sensitive accounts. If you change passwords every 90+ days while having strong passwords that are easy to remember, you accomplish the best security. Strong passwords that are easy to remember can take weeks or months to back with brute force. For example, the password S0L34r43ms3r is VERY easy to remember, well it’s easy for me to remember, but you have no idea why. Brute forcing this password would take months with most systems. Therefore, I have a strong password. If I change it every 90-120 days, I will have a good balance of security and usability.
Does every employee need to change his or her password every 90-120 days? No, certainly not. Some employees have access to absolutely no sensitive information. We can allow them to change their passwords either every 6-12 months or never, depending on our security policies. The point is that different levels of access demand different levels of security.
While I felt the article was very good and it did reference some research to defend the “myth” suggested in relation ot password resets, the reality is that the article and the research (which I’ve read) does not properly consider a full security system based on effective policies and training. Granted, few organizations implement such a system, but, hey, we’re only talking theory in this context anyway, right? It sure would be nice if security could move from theory to practical implementation in every organization, but it hasn’t. The reason? By and large, because most organizations (most are small companies) never experience a security incident beyond viruses, worms and DoS attacks. That’s just life.