Sat Aug 16 06:08:58 PDT 2014

Miscellaneous: Password changes: What is a rational policy for requiring password changes?


Options:

Option 1: Never change passwords.
Option 2: Change passwords when there is a specific reason to do so.
Option 3: Change passwords at convenient system changeover times.
Option 4: Change passwords at regular intervals.

Decisions:

IF the mechanisms make password changes unmanageable and other mitigating controls can be put in place, THEN never change passwords,
OTHERWISE IF there are regulatory or contractual mandates requiring periodic changes, THEN change passwords at regular intervals,
OTHERWISE IF different people will be working on replacement systems or a regular change control window is used for updates and a password change is called for, THEN change passwords at convenient system changeover times,
OTHERWISE Change passwords when there is a specific reason to do so.

Basis:

Never change passwords.
"Never say never" may apply here. In some cases changing passwords may not reduce exposures, but these cases are rare. For example, for a physically secured system without external user access and where only authorized users have physical access to the location with the computer, password changes may be of little or no value.

Change passwords when there is a specific reason to do so.
Changing passwords whenever there is a specific reason to believe that there is an exposure is clearly a sensible idea. But if carried to extremes may be too expensive for the level of the exposure. This approach calls for knowing when an event has occurred and what systems may be affected by it. Examples of events causing obvious exposures include the movement of an employee from one job to another, a known computer break-in, or a change in key personnel. In each case, access in excess of that necessary for the users' job functions are caused by their ability to access accounts using known passwords. Figuring out which systems may be affected is somewhat complicated by interdependencies of systems and commonalities between systems. For example, if a file server password is exposed, it may affect all of the systems that use that file server. If the same user has access to multiple systems, they likely use the same or similar passwords on many of those systems and all of those systems are therefore exposed. There are many other similar examples.

Change passwords at convenient system changeover times.
There is nothing inherently wrong with this practice, and indeed all new systems should have all user passwords initially set to non-default values. But this does not address the other exposure issues and is thus of limited value.

Change passwords at regular intervals.
This is recommended by most security standards and thus widely accepted. There are, however, some problems with changing passwords at regular intervals. Some of the major problems include:

The basic reason to change a password is that the password in question may be known to an unauthorized user. The period of time between when an unauthorized user knows a password and when the password is changed represents a period of exposure to attack. The goal of password changes is to reduce this exposure. It is also important to consider that a fairly short exposure period can cause high consequences. In many cases, within seconds to minutes of an initial break-in, "back doors" are put in place to allow reentry to the system even if the passwords are changed. For this reason, simply changing passwords may not be an effective action when an exposure occurs.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved