Monday, June 29, 2015

#empoexpiire - In which unicityd's mind changes

Another in the #empoexpiire series. (See the other posts here.)

In 2012, unicityd reconsidered something that he wrote in 2006.

I previously posted a defense of password expiration on this blog. Since that time, my perspective has changed and I no longer consider password expiration to be a useful security measure. Here is my reasoning...

By 2012, unicityd had concluded that the benefits of a password expiration policy are relatively minimal. unicityd also noted that password expiration policies encourage a potentially bad behavior:

Frequent password expiration encourages users to pick weaker passwords and/or write them down*. That means we have to weigh any potential benefit from password expiration against the negative consequences of poorer password selection and management. If the user writes his password down and stores it in an insecure location, it is vulnerable to any local attacker (e.g. malicious insiders).

unicityd doesn't object to passwords stored in a secure location. unicityd just objects to some common practices to remember passwords that frequently change. And I'll admit that I have been known to write a password on a piece of paper and keep it next to my computer monitor.

Alan Henry, who was often asked to perform urgent computer maintenance for someone who had left for the day, was often able to perform the maintenance anyway because his users left their passwords in easy-to-find locations. (Henry's article, incidentally, includes a picture of a computer with a Post-It Note that says "ADMIN / ADMIN." One would think that an admin would never used the password "ADMIN," but sadly there are admins who do this.)

One of Henry's stories:

I knew one person who put post-it notes [with her passwords] on the bottom of their chair—she was livid when she arrived one morning to find a colleague had borrowed her chair for an impromptu meeting in her office next door.

More of unicityd's thoughts on password expiration can be found here>
blog comments powered by Disqus