Friday, May 31, 2013

Password Security and the Minimum Password Age

Everyone has their favorite (or least favorite) password rule.  Just google password rules, and you'll find all kinds of things we inflict on our users.  Some sites require the use of special characters, while others prohibit them.  Upper, lower, numbers, symbols, length, change every 30/60/90 days, can't use the previous 3/5/10 passwords, no dictionary words, and so on.

There are a couple webcomics on xckd that address the issues of password strength and password reuse.  Go read them; they're great.  And then read a couple dozen randomly selected comics on the site, and if you remember to come back, the rest of the post with my point will be here waiting.

One of the most interesting to me is that of minimum password age.  We're all familiar with the maximum age - it's been 90 days, time to change it or you'll be locked out.  Whether it's effective to change a good password at all is debatable, but not the conversation for today.  The thing about not reusing a previous password is fairly common.  But why would you want to set a minimum password age?  That is, a certain amount of time needs to pass before you're allowed to change it again.

Let's go to an example.  There's a system I use that requires me to change passwords every 6 months.  Fair enough.  You can't reuse any of your last three passwords.  Okay.  The idea, then, is that you use one password for 6 months, a second for 6 months, a third for six months, and a fourth for six months, so two years later (or 18 months, depending on how you do math) you can switch back to your original password.  If someone had stolen that original password, they'd have to wait a long time to use it, assuming you ever switched back to it.  If it's been a couple years, maybe you're 'over' that password.

But what if it's been six months, and you're not over your first password?  So you change it, because you're forced to.  Only you change it three or four times to random whatever passwords that you don't even keep in your short term memory longer than to immediately change it.  You cycle through your throwaway passwords until the queue of previously used passwords is cleared, at which time you can set it back to your original password.

Stop and think about that for a second.  Without a minimum password age, which requires you to wait an hour, a day, two weeks, a month, or whatever you set it to, you can quickly cycle through 3, 5, or even 10 passwords to clear your preferred password from the queue in a matter of minutes.

Requiring a minimum password age of 1 month, with 5 previous passwords saved, means the quickest you could get back to your old standby would be 5 months.  If you've gone 5 months, chances are by then  you're over the old password.  Someone would have to have a pretty sustained interest in getting their old password back quickly to wait that long.

So if you're in the camp that a good password is a good password and need not be changed unless something has happened, and there's no minimum password age, you can rotate quickly through enough passwords to clear the list and go back to your original one.  On the other hand, if you're managing the system and setting password policies, if you decide you want users to have to change their password (and that's a big IF for another day), only let them change it once every so often with a minimum password age.

3 comments:

Anonymous said...

Sorry to rain on your parade. This is a lame argument for minimum password age.

Several times I've changed a password only to realize I don't like it for one of several reasons - difficult to type *a lot*, inconvenient to remember, etc. For someone who uses all 4 common categories of complexity requirements, having to wait and change my password is a hassle.

Worse, suppose I have reason to believe the password was compromised during that time - I can't change it.

A much more user-friendly policy is just to increase the password history to a large number (25 for example). I doubt very much that users will cycle through 25 long complex passwords just to get back their original password.

Thanks for giving me a page where I can vent my frustration on this policy! :)

jowdjbrown said...
This comment has been removed by a blog administrator.
Ellick said...

I must confess something: As a software engineer for Unisys I designed 'minimum password age' for the Unisys A Series mainframes in 1986 for exactly the reason described in this blog post. This was done with all the constraints of limited password history storage capacity at the time.

During the C2 evaluation of the mainframe series, this control also made it back into one of the Rainbow Series books. Little did I know that this fact would cause Microsoft later on to implement this in Windows to obtain a C2 evaluation as well!

If I would design this today, I would come to a very different solution, believe me.