Friday, May 31, 2013

Password Security and the Minimum Password Age

Everyone has their favorite (or least favorite) password rule.  Just google password rules, and you'll find all kinds of things we inflict on our users.  Some sites require the use of special characters, while others prohibit them.  Upper, lower, numbers, symbols, length, change every 30/60/90 days, can't use the previous 3/5/10 passwords, no dictionary words, and so on.

There are a couple webcomics on xckd that address the issues of password strength and password reuse.  Go read them; they're great.  And then read a couple dozen randomly selected comics on the site, and if you remember to come back, the rest of the post with my point will be here waiting.

One of the most interesting to me is that of minimum password age.  We're all familiar with the maximum age - it's been 90 days, time to change it or you'll be locked out.  Whether it's effective to change a good password at all is debatable, but not the conversation for today.  The thing about not reusing a previous password is fairly common.  But why would you want to set a minimum password age?  That is, a certain amount of time needs to pass before you're allowed to change it again.

Let's go to an example.  There's a system I use that requires me to change passwords every 6 months.  Fair enough.  You can't reuse any of your last three passwords.  Okay.  The idea, then, is that you use one password for 6 months, a second for 6 months, a third for six months, and a fourth for six months, so two years later (or 18 months, depending on how you do math) you can switch back to your original password.  If someone had stolen that original password, they'd have to wait a long time to use it, assuming you ever switched back to it.  If it's been a couple years, maybe you're 'over' that password.

But what if it's been six months, and you're not over your first password?  So you change it, because you're forced to.  Only you change it three or four times to random whatever passwords that you don't even keep in your short term memory longer than to immediately change it.  You cycle through your throwaway passwords until the queue of previously used passwords is cleared, at which time you can set it back to your original password.

Stop and think about that for a second.  Without a minimum password age, which requires you to wait an hour, a day, two weeks, a month, or whatever you set it to, you can quickly cycle through 3, 5, or even 10 passwords to clear your preferred password from the queue in a matter of minutes.

Requiring a minimum password age of 1 month, with 5 previous passwords saved, means the quickest you could get back to your old standby would be 5 months.  If you've gone 5 months, chances are by then  you're over the old password.  Someone would have to have a pretty sustained interest in getting their old password back quickly to wait that long.

So if you're in the camp that a good password is a good password and need not be changed unless something has happened, and there's no minimum password age, you can rotate quickly through enough passwords to clear the list and go back to your original one.  On the other hand, if you're managing the system and setting password policies, if you decide you want users to have to change their password (and that's a big IF for another day), only let them change it once every so often with a minimum password age.