Hi
Thanks for drawing this to our attention; it is always useful to know when one of these pops up.
They do tend to churn out the same old arguments citing research that makes outdated assumptions about attack modes and others of questionable validity. Microsoft do not have a good record in the area of security and passwords and the Register is not known for academic rigour. Fortunately they appear to be leaving the option of password ageing.
See the following for an explanation of our policies.
https://blog.bham.ac.uk/itsecurity/2017/03/14/password-policy/Hi, Chris,
Thanks for taking the time to respond. I appreciate it despite still disagreeing with your policy. One wonders why password expiration policies are still implemented when NIST, NCSC, Canonical, etc. repeatedly tout evidence against them. You may be interested to know that the School of Computer Science has no such policy in place for their local user accounts.
Regards,
Jivan Pal
Hi
My article did explain some of the reasoning behind our password policies in our environment. If you feel that the reasoning is faulty by all means let us know why. (No one from CS has so far done so). The problem with NCSC et al is that evidence touted against password changes is combined with unfounded assertions to negate balance and the positive effects.
The security community is pretty much divided on the issue, broadly speaking theoreticians favouring no password ageing and practitioners favouring ageing.
There has been excellent research into problems caused by over frequent password changes. However, persistently conclusions have been drawn in conjunction with the following assertions, which are very outdated:
Looking at the NCSC reasoning, it appears that some of these assertions have ben carried through in their reasoning.
Forcing password expiry carries no real benefits because:
(1) the user is likely to choose new passwords that are only minor variations of the old
Whilst not ideal when virtually all passwords are stolen through phishing why does this matter? The attacks are not targeted at individuals and the passwords are not being cracked.
(2) stolen passwords are generally exploited immediately
This does not appear to have any basis in reality. Some are exploited immediately, many are not. In a recent example, out of 75 account/password pairs stolen through phishing supplied to us as a result of a hacked phisher database, 44 were current with no detected misuse two months after the attacks.
(3) resetting the password gives you no information about whether a compromise has occurred
Why does this matter? If it is mopping up undetected passwords it is of benefit. Leaving an account compromised until it is detected would not be sensible.
(4) an attacker with access to the account will probably also receive the request to reset the password
So what? If the attacker changes it the user will notice when they get locked out. Otherwise, the attacker will get locked out.
(5) if compromised via insecure storage, the attacker will be able to find the new password in the same place
This is not really relevant when the vast majority are phished; it is only relevant for the tiny minority of cases where compromise is via insecure storage.
Yes, I was aware that the School of Computer Science has chosen to flout the University Security policy :-). I have yet to hear any rational justification of this from anyone in that department.
It may come as some surprise that CS students and staff are not immune to cybercrime.
Chris