Monday, June 22, 2015

#empoexpiire - How password expiration policies solve another problem - but are they the best solution?

I'm writing about password expiration policies under the hashtag #empoexpiire (you'll note that I try to choose unique hashtags). And I'll admit that while they're a hassle from the user perspective, there can be some justifications for them. Let's look at a 2009 post by Matt Weir that, among other things, details a really good reason to have password expirations.

I can't name the number of places where I've gone back a year latter for some reason and all my old accounts are still valid. Let's be honest, proper authentication revocation almost never happens when people leave, move on, or are promoted. This goes double for anyone who is a system admin, network admin, or basically has access to the good candy.

Think about this for a moment. If I, a mere mortal, leave a particular company, there's a chance that my account won't be deactivated. If I were a wise system administrator, and I left a particular company, there's an EVEN BETTER CHANCE that my account won't be deactivated. In other words, the people who have the knowledge - and the computer privileges - to do damage at a former employer are those who are most likely to still have the ability to do so.

What a password expiration policy does is to help automate authentication revocation. If someone hasn't logged in to the system in six months, then they are locked out regardless if someone remembered to delete their account or not.

Outstanding! If a company doesn't think to stop people from logging into accounts after they've left the company, then just force them out!

But there's a critical caveat here:

For this to work though you have to have true password expiration. You have to lock the account after a certain amount of time. If they log in two years later and all the system does is force them to choose a new password this doesn't help. This actually can cause a lot of problems.

What's the better solution? As part of a company's standard procedures when an employee leaves the company, deactivate the danged account.

P.S. As I was typing this post, I remembered that I have sysadmin access to a particular third party service.

A service that also has another sysadmin.

Who has since left the company.

I bet you can guess what I'm going to do after I finish typing this sentence.
blog comments powered by Disqus