Why change passwords every 90 days?


Why changing passwords can be good.

We have all seen a policy of changing password every 90 days (or 30 days), We all know that staff hate to change passwords and this will even lead to more calls to the helpdesk.

So the question is why should you change password every 90 days?

One answer is about reducing the time that an attacker can use the password that they have stolen. I do see the logic, but having an attacker in your network for 90 days is still far from what we are aiming for, if you want to lock out an attacker who has a users password, then get 2FA (two factor authentication)

The other answer is, because the policy says we must. This feel like the old line from my mum, “If all the kids where jumping off a bridge…” Often the policy has not been thought through, it is simply that everyone else has a policy like this and so we should too.

Last of all we have compliance with your standard of choice (NZISM, US-DOD, PCI/DSS) This is one that you can’t easily get out of, but maybe you don’t need to comply with the standard.

Having users change passwords every 90 days may seem good, but we all know that this will result in users following other bad practices, such as writing passwords on post-it notes, or incrementing the number at the end of the password.

At this point you can see that I am against users being forced to change passwords, but the title of the post suggests that changing password can be good.

So far we have been looking at user passwords, but what of system to system passwords? They are often overlooked when enforcing policy, they often never change.

Some the core system to system (S2S) passwords in your environment may not have been changed for many years, and are likely known to technical staff who have left your organisation.

When you talk to the technical staff, they may not even know which systems have that password embedded in them. If you ask them to change a S2S password, you get a response about it being far too hard.

Now think about what would happen if you had an active attacker who has a system to system password? How can you change it when you don’t know where it is being user?

What would happen if we enforced the 90 day rule for the S2S passwords?

  1. The technical staff will try and kill you.
  2. They will change the password and things will break.
  3. They will automate the change to reduce workload.

Now you basically have a documented, repeatable process to change password for S2S accounts. Because it is automated you can have stronger passwords, and also are less likely to need to document them.

And if you need to change an S2S password during an incident, then it should be easy, as your technical staff do this all the time.

This all assumes that you have system to system passwords, whenever possable you should be using crypto keys of some kind, EG public/private keys for SSH or SFTP.

Forcing staff to change passwords is something that has had a lot of debate, but now you can debate changing system password too.