Friday, April 14, 2017

#empoexpiire Don't ask why when the 90 day password expiration policy comes up

A little over a year ago I wrote a post that included the following:

Some time last year, I ... tried to re-access a ... service that listed government business opportunities. I ran into hassles and dropped the matter until now.

I knew my login name for the service, but could not recall the password. I tried a number of possible passwords, none of which worked. So I went to the service's reset password option, which would email me procedures to reset my password. I would receive that email within a few minutes.

I never received the email.

After some thought, I realized why I didn't receive the email. Over the last eight years, I have had four different work email addresses, and three of those addresses are no longer operational....

So I went to the service's support website, which required me to set up a separate support account. (Did I mention that the first site listed government business opportunities?)

Once I had set up the support account, I contacted a person who was very helpful, and who confirmed that my account was linked to one of those three non-existent email addresses. The support person also noted that they were not authorized to modify email addresses on accounts, and that I would therefore have to set up a separate account with a new user name....

So why haven't [I] created a new account with a new user name for this particular service? Because of the sentence at the end of the support email.

"Passwords must be changed every 90 days or your account will be disabled."

As I've previously noted, others - most notably a (presumably now former) Federal Trade Commission official - think that 90 day password expiration policies are useless and dangerous.

So I never set up that account in 2016, but I did set up that account in 2017 because I had to.

How long ago did I set it up?

Oh, about 80 days ago.

So you can guess the email that I recently received. Yup, time to change my password.

When I went to the website in question, I was kinda sorta curious about WHY I had to change my password every 90 days, and perform all of the other rigamarole associated with this. It turns out that I - and you - have to go through this hassle because GSA Order CIO P2100.1 says so.

So what's GSA Order CIO P2100.1? I found a link to it here, downloaded the PDF from the link, and found the applicable section.


This chapter provides the basic technical control security policy statements for GSA systems. Technical Controls provide specific guidance on security controls and technical procedures used to protect GSA IT resources. The policy statements are derived primarily from OMB Circular A-130 and are integral to an effective IT security program. The manner in which these controls are implemented depends on the risks, sensitivity, and criticality associated with the specific systems and data involved. In some cases, basic security policy controls may need to be modified or supplemented in order to address application-specific or system-specific requirements. The following paragraphs provide specific policy on controls for identification and authentication, access control, auditing, and others.

1. Identification and authentication. All GSA systems must incorporate proper user identification and authentication methodology. For mobile devices, refer to 1.b(4) below

a. Authentication schemes must include multifactors using two or more types of identity credentials (e.g. passwords, SAML 2.0 biometrics, tokens, smart cards, one time passwords) as approved by the Authorizing Official and in accordance with the security requirements in the subparagraphs of this paragraph.

b. An authentication scheme using passwords as a credential must implement the following security requirements:

(1) Passwords must contain a minimum of eight (8) characters which include a combination of letters, numbers, and special characters. Accounts used to access Federal Desktop Core Configurtion (USGB) compliant workstations (i.e. Windows XP and Windows Vista) must contain a minimum of sixteen (16) characters but do not have to contain a combination of letters, numbers, and special characters.

(2) Information systems must be designed to require passwords to be changed every 90 days.

And so on and so forth.

So now the question is, WHY does GSA Order CIO P2100.1, Section 5, Paragraph 1.b.(2) require me - and you - to change our passwords every 90 days? Well, it seems like this is because OMB Circular A-130 says so.

So I began to search for OMB Circular A-130 - which was a bit difficult because since the OMB is effectively part of the White House organization, the whole website was jettisoned on January 20, 2017 when we got a new President. However, the old information was preserved at a site called, and that's where I found this page dated July 27, 2016.

Summary: Today, OMB is releasing an update to Circular A-130, the Federal Government’s governing document for the management of Federal information resources.

The page contained two helpful links with wording like this:

Today the Office of Management and Budget (OMB) is releasing an update to the Federal Government’s governing document for the management of Federal information resources: Circular A-130, Managing Information as a Strategic Resource.

The Circular can be previewed HERE and is effective July 28, 2016.

So I clicked on both of the links...but I didn't get OMB Circular A-130. Instead, I got a PDF ANNOUNCEMENT about OMB Circular A-130's availability.

I then searched, but couldn't find the elusive document.

Frankly, I question whether OMB Circular A-130 even exists. And I'm not the only one:

For those of you who believe everything you read, I generated that via the Fake Trump Tweet website. (Or did I?)

But I did change my password on the original subject website. I won't tell you the language that I used in the new password, but suffice it to say that the service would not want to hear me speak it out loud.

blog comments powered by Disqus