When protecting app data, the default response for years has been passwords. And as long as a company's data is solely being defended by passwords, it makes sense to insist that they be changed regularly, no? Would not such mandated periodic changes shorten the life of the access-controls for thieves? Turns out that the answer is "no" to all of the above.
To the extent that passwords provide protection, forcing employees to change them regularly hurts fraud safeguards much more than it helps.
That point was made eloquently this month by the Federal Trade Commission's chief technologist, who has been fighting her FTC counterparts who insist on forcing password changes. To be clear, we're not talking about changing passwords after learning of a databreach. That's common sense practice and is a direct response to knowing definitively that bad guys have unlocked your list of passwords. No, we're talking here about changing for the sake of changing.
This also goes beyond the longstanding password complaint, which is that the more complex a password gets, the more likely the employee will write it down (ultra-evil) or will use a password-remembering program (less evil). The password-remembering-software approach suffers from the one-password-unlocks-all security flaw.
The main concern of the FTC's Lorrie Cranor is that employees, when forced to change their passwords regularly, don't actually come up with a meaningfully new password. What they more typically do is make a tiny—and predictable—change to the end of the password, such as adding "00" to it or "ZZ."
In an Ars Technica story based on a speech that Cranor gave, a study done by the University of North Carolina at Chapel Hill was discussed.
"The researchers obtained the cryptographic hashes to 10,000 expired accounts that once belonged to university employees, faculty, or students who had been required to change their passcodes every three months. Researchers received data not only for the last password used but also for passwords that had been changed over time," the story said. "By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like 'tarheels#1', for instance (excluding the quotation marks) frequently became 'tArheels#1' after the first change, 'taRheels#1' on the second change and so on. Or it might be changed to 'tarheels#11' on the first change and 'tarheels#111' on the second. Another common technique was to substitute a digit to make it 'tarheels#2', 'tarheels#3', and so on. The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds."
In other words, forcing password changes delivers mildly-changed passwords—which are easier to crack than had the original passwords been left alone.
I hate to keep bringing this discussion back to multi-factor authentication (I sometimes feel I should change my Twitter handle to MFAguy), but passwords are delightfully resistant to being improved. Every effort that logic says will make passwords better—adding more rules to make them more complex, insisting they be changed regularly, banning someone using a password they have previously used, etc.—only ends up making the jobs of cyberthieves easier.
Cracking an employee-selected password alone should never grant full system access—or whatever access that person's credentials unlock. Biometrics, some device, image-recognition or something else is necessary if you truly want to protect your app data.