4. Challenges against Password Expiry

4.1. Online banking services

Authentication to online banking services is typically done using something more complex than simple username/password. In most cases you are sent a user ID, and agree some secret in advance with your bank. You are then asked for your ID and a subset of the agreed secret information, provided through some sort of web form and, for an increasing number of banks, using an additional device such as a card reader. If you use several banks then you might have several IDs, several secrets, and several card readers. This kind of technology works well for a single web site, but doesn't readily transfer to email clients, desktop login, network file access, and so on.

4.2. Google Mail, Facebook, ...

There are lots of web sites where you login with a non-expiring password, and may even then upload information that you intend to keep private. If your password is compromised then you stand to lose the security of any information held in your account, and an attacker may then go on to perform actions using your identity (if your email account is compromised then an attacker can typically use this to reset passwords on other sites that you use too). The key issue here is that the web site is typically only providing you with one service, so apart from the impact on their reputation and possible loss of a (non-paying) customer, they stand to lose very little. In contrast, Oxford University provides a wide range of services that would fall prey to a password compromise, and parts of the organisation place a lot of trust on the integrity of these services, so there is potential for large ramifications (think of the simple case of a student who cannot submit their essay because they cannot access their network file store).

4.3. Bank card + PIN

Chip-and-PIN is widespread now, and PINs do not expire. Why? This is a classic example of two-factor authentication: you need to have the card and know the PIN. As and when two-factor (or the more general case of multi-factor) authentication becomes available within Oxford then this is likely to also use permanent secrets.

4.4. Expiry was designed to thwart cracking tools, but passwords can be found and used within minutes now

One of the few recorded reasons for setting password expiry policies is that in the 1970's, government computers could attempt all possible combinations of a password within about 90 days. So password expiry was introduced and set to 90 days in order to thwart this. Gains in computer speeds have arguably outstripped increases in password and algorithm complexity, but have also become largely irrelevant - many passwords are simply read off a user's PC after it has been compromised over the network, and others are collected by phishing schemes. This is not an argument against password expiry though - it is simply a recognition of the fact that password expiry is not the complete solution to password compromise on its own.

4.5. Password expiry notifications look like phishing emails

Users who remember to change their password regularly won't get these messages. We do try to word them carefully, to avoid the flaws typical of fake emails.

4.6. Forcing users to change their password on expiry just means they write it down on a post-it.

Lots of users do write their password down and knowingly keep it where other people might readily discover it. Still more type their password into programs that store it on their computer - unknown to the user, but readily accessible to an attacker who gains access to their PC via a virus, vulnerability, or social engineering trick.

In fact it's often the complexity requirements that lead to writing the password down - people write their password on a post-it before they are even aware that there is an expiry policy, so the expiry policy can't be the underlying cause.

Up: Contents Previous: 3. Why password expiry? Next: 5. Benefits of Password Expiry