[I was unsuccessful trying to post this as a comment on the Securosis blog so figured I'd post it here instead.]
David Mortman at Securosis recently posted with the following challenge:
Show me any reasonable evidence that changing all your users’ passwords every 90 days reduces your risk of being exploited. No wonder they don’t always listen to us.
I think I can help in a general way, though I can’t determine whether the amount of risk reduction is worth the exercise, nor whether it is offset by other types of risk (maybe I’ll follow up on this part in another post).
Anyway, here is my first take:
As a credential providing access to a system, the password (and its corresponding ID) represents a vulnerability in the sense that an inappropriately used password (e.g. successful login by an intruder) results in the compromise of the system. Therefore, there is a positive relationship between the vulnerable state of a system and the number of available credentials (IDs + passwords) on the system.
Every connection attempt to a system – authentication being one mechanism used to connect – has some positive likelihood of being an attack in the sense that it provides an opportunity for the source of the connection to compromise the system. Assuming that connections continue to occur over time, every new connection increases the likelihood of a successful attack.
The likelihood of an attack is, in turn, affected by the availability of (and access to) the password in either its stored state (e.g. as a hash in a file on a system) or during its presentment (e.g. on authentication or to a phishing site). Following the same logic as the compromise process above, more access to the password increases the risk that a password is “compromised” itself – i.e. a credential is stolen.
It follows that the likelihood of compromise increases with the availability of the password. Availability increases over time. And so the longer a password remains on a system, the more likely it is to be compromised.
A password reset operates like an elimination of one vulnerability (existing password) and the creation of a new one (new password). This “resets” the availability clock to a lower likelihood and therefore a lower risk (on the threat side of the equation).
The question of whether a 90 day reset makes sense is a function of the amount of risk you are willing to tolerate as the likelihood of compromise increases over time (which is positively correlated with the availability of the password) based on the number of passwords on the system and the volume of authentication-connection activity.
@ds -
You make a good point. See here for a previous take on it: http://spiresecurity.com/?p=355. I would point out, as I tried to in the previous article, that there is more to password compromise than the crack itself. I would assert that the crack is much less common than the phish and that my argument still holds up with phishing. In addition, we shouldn’t forget the time/effort it takes to get the hash prior to the crack.
“Best practice” is a tricky concept but I agree some sort of multifactor auth solution would fit. I just don’t believe the risk is particularly high for many of the things we require passwords for and so “best” is unnecessarily costly and “reasonable” would work fine.