I have been writing a mini-series about passwords over on CyberAwake and each time I think I have finished, something in the news causes me to write another chapter, which brings me to password fatigue. Just yesterday I was in a Teams meeting with a new client, where they were telling me how their previous IT Support company “insisted” that Microsoft 365 passwords were set to expire after 60 days. This had been causing the staff hassle since probably about 120 days after the old IT support supplier had started their contract! Could we change it?
What is password fatigue?
Here is my definition:
“Password fatigue is the feeling experienced by many people who are required to recall large numbers of passwords as part of their daily routine. This fatigue can be increased by the automated requirement to change perfectly secure passwords on a regular basis. Both situations can have a negative impact on an organisation’s cyber security.”
For an answer to the “remembering issue” look here.
Password fatigue can often lead to users choosing simple, less secure passwords or reusing passwords across different services. Because the administrator has decided everyone will change their passwords after X days, causing the automated expiration of a perfectly good password, patterning starts to emerge in the password structure across a whole organisation – “I’ll add #01 in January, #02 in February, etc.”. (Zhang, Monrose and Reiter. 2010).
The regular forced changing of passwords, seemed like a good idea when it was introduced, but human behaviour soon disrupted the perceived extra security and academic research then showed that the security benefit was “questionable”. (Chiasson and Van Oorschot. 2015).
If a password has been compromised, it has probably been exploited long before any automated change could protect a system from attack. Also, the automated changing of user passwords can make the user less vigilant when it comes to password security, as they “know” the system takes care of it for them!
Could we change it?
The fast answer was obviously “yes” – as we never enforce password expiration. We only change passwords when actually required. As you can see from the above, password fatigue is a problem that every sysadmin, manager and cyber security expert has to be aware of.
I am going to finish this password article off with a quote from Bruce Schneier:
Frequent Password Changes Is a Bad Security Idea
I’ve been saying for years that it’s bad security advice, that it encourages poor passwords
Bruce Schneier – Schneier on Security Blog
If you have automatically expiring passwords anywhere, now is the time to take action and properly manage your password cyber security – or contact us for some help.
CSC 11 October 2023
References
Zhang, Y., Monrose, F., & Reiter, M. K. (2010). The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM conference on Computer and communications security (pp. 176-186).
Chiasson, S., & Van Oorschot, P. C. (2015). Quantifying the security advantage of password expiration policies. Designs, Codes and Cryptography, 77, 401-408.
Further Reading
Password Mini-Series – CyberAwake
Photo by Ketut Subiyanto
