In a beautifully irreverent tone, Brian Barrett from Wired magazine took on the long-standing and much maligned “password expiration” policies that have become a mainstay in most modern businesses. You may know password expiration by its more familiar Active Directory message, “Your password will expire in 14 days. Do you want to change it now?” No. Sorry, force of habit. Most organizations and banks, in particular, have been good soldiers of security and implement impossibly difficult password requirements with astonishingly short expiration periods. All of this has led to a situation where users either come up with a creative means of barely altering a favorite password or they forget it all the time or they write it down. None are beneficial to actual security. These expiration policies more resemble flailing and yelling at an armed assailant. Sure it might work, but it’s just as likely to not work.
Whether you like the audited historical records approach to prove the theory or you prefer good ol’ fashioned mathematics, either way your password expiration policy is probably only annoying your users and not making your network any more secure.
But you have the same problem we have. Auditors. Yeah, I’m looking at you AICPA S3.2.b. We know you don’t say that we have to change our passwords all the time, but if we do set absurd password requirements AND expiration policy we’ll definitely get high praise during our audit. So we do it. We make our employees and contractors nuts. We constantly reset forgotten passwords and locked accounts. We know everyone writes them down somewhere, but we do it in the name of security…or at least in the name of passing the audit so we can send our bank customers a nice tidy audit report showing how secure we are.
So I have a request to all of my cohorts in banking and the FinTech world. Please copy down the URL to the Wired article (because Brian is way better at this than I am) and have it ready. Then when you have a quiet moment with a regulator or auditor at a trade show or panel discussion or executive roundtable or even during an audit, hand/email/text/IM that person the link. Encourage that person to read the article and all of the supporting research. Ask them if they think password expiration policy increases network or application security. Mention that this is something that doesn’t appear to be black and white in the regs and the important thing is security, not the appearance of security. Help them to understand we’re not trying to make their job worse; we’re just trying to spend our IT efforts on things that make a difference.
I’m a big fan of security, but only when it actually makes things more secure.