Most of the time Graham Cluley gives good advice regarding computer security (his Smashing Security podcast is both entertaining and informative), but I think he is wrong about workers who simply iterate their passwords when asked to change them on an arbitrary schedule.
Cluley writes,
So it’s important to ensure that all your passwords are unique, as well as being impossible to guess and hard to crack.
But that doesn’t mean it’s good enough just to make a minor change to your passwords.
A survey of 200 people conducted by security outfit HYPR has some alarming findings.
For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.
Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users’ tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.
There are a number of things wrong with this analysis.
First, while it is almost always better to rely on password managers rather than memory to keep track of passwords, there are some situations where this is not feasible.
For example, the company I work for assigns me a single sign on username and password that I use not only to log in to company resources, but that I also have to use to unlock my company-provisioned laptop.
I need to be able to have a password that I can memorize in that case. I would argue that pulling out, say, a mobile phone, accessing my password manager, and then using that to type my password into my laptop is far less secure than memorizing it. I need to enter this password routinely throughout the day at meetings and in public places.
Second, as long as the memorized password is strong, there is little to no security implication for simply iterating the password when required to do so on an arbitrary schedule.
As Cluley himself notes later in the article, “I don’t believe it’s a good idea to force users to change their passwords unless there’s a cause for concern.”
So let’s say I have a secure passphrase along the lines of XKCD’s famous “correcthorsebatterystaple.” I have that memorized, and I only use it for my corporate SSO account. As Cluley points out, there’s no good reason to ask me to change that password every 3 months.
But, alas, that is what is going to happen. As long as I know this is just a routine password change request, there is no good reason to believe that “correcthorsebatterystapleone” is any less secure than “correcthorsebatterystaple.”
I could see someone saying, “Yes, that may be true, but if users get into the habit of simply iterating their passwords, they will also do that then when we need them to change passwords because of a potential breach or other issue.”
And this would, in fact, be very bad. But that’s a problem created entirely by this practice of enforcing arbitrary password change schedules. If your security team is the proverbial boy who cried “change your password” over and over where there wasn’t a genuine threat, don’t be surprised when they don’t respond appropriately to the real thing.