Friday, 12 December 2008

Password Changing

I have been quantifying IS risk for some time now. On that note I have a paper topic I am writing for next year on password security. In contradiction to the myth, changing passwords turns out to not be a good idea.

Forcing password changes is a cost. The only events where a password change should be mandated are:

  1. Known or “reasonably certain” compromise
  2. Shared devices
Adding effective password controls is more effective then password changing. In fact, the benefit of a password changing regime is negligible and even reduces the complexity of the average password.

There are many reasons for this and the value of the cost function changes with the technical capability and awareness levels of the user (interestingly with a risk in the end tail for highly aware users). I will be detailing these with a quantitative model in the next year. The effects are something like the poor ASCI art demonstrated below. In this graph, the x-axis represents technical capability generally (not just security). The y-axis is the associated cost mean with a password change process.

******* *
************ *****
*************** *********

Cost functions are measured in both pure economic and survival times (using a lambda function). What can be demonstrated is that there is an inflection point of knowledge where experienced and knowledgeable users start to bypass the controls and mitigate the control benefit.

The benefits of not changing passwords decrease after 12 months to near zero difference (that is the optimal strategy if password changing is mandated is 12 monthly.

The benefits also increase as password size increases. This starts to level off after 12 character passwords.

One thing noted is that users will form password patterns that can be guessed and even used to determine passwords (from encrypted data). Even with complexity, password changing at 30 days has demonstrated that over 65.4% (SE +/- 4.56, Australian companies only tested) of users maintain what is in effect the same password with cosmetic changes based on some formula (ie, passw0rd1!, passw0rd2!, passw0rd3!).

These passwords are also generally used on multiple systems and a common component of them can remain on systems where no change occurs aiding in cracking the others.

The data is based on an analysis of the practices of over 300 companies (from SME’s to listed’s). The total user base tested is over 115,700 people and the data has been collected over 4 years.

No comments: