5. Benefits of Password Expiry
OxCERT have come across cases where an account has been compromised without the owner spotting that it is being used by someone else, sometimes over a period of several months. It is likely that many incidents go undetected and abuse of accounts only ceases upon password expiry. Additionally, compromised accounts are not always used immediately following the breach - so password expiry can reduce the window of opportunity for the buyer of stolen Oxford account details.
How many people make sure that all their passwords are deleted from a computer sold or sent for repair/recycling? Old machines that are poorly maintained are classic targets for network attack - maybe a PC that has been handed from parent to child (or vice versa these days) or from recycling scheme to hard-up student - and could well have lots of old passwords cached in the email settings, web browser cache, personal keystore, and so on. Password expiry is effective in many of these cases as the timescales involved are comparable, particularly as there is often a delay between decommissioning and disposal of old systems.
In many incidents, the risk of abuse as a result of password disclosure is high, and an immediate password change is required. In other cases, the risks are relatively low but non-zero, and may increase slowly over time. Some incidents of this nature may occur relatively frequently but may affect a large proportion of users.
Such an incident occurred in 2009. With a password expiry system in place it was felt that the risks were satisfactorily managed by using expedited password expiry for users known to be affected and standard password expiry to render useless those passwords possibly exposed over the following months. Without an existing password expiry system, it may have been considered necessary either to introduce one or to force more disruptive immediate password resets upon a large number of users.
It is quite common for new users to set a preferred password on all the systems they will access, leading to two problems. Firstly that one of the systems may well store the password in a weaker form that is more readily compromised. Secondly that compromise of the password on one system (possibly the weakest) immediately compromises account security on the other systems where the user has chosen the same password.
Password expiry cannot prevent disclosure of passwords as a result of malicious or flawed software. When these problems are identified by OxCERT it is necessary to ensure that users change their passwords as soon as possible. Through password expiry, users are likely to be familiar with our password-changing mechanisms and procedures.
Requiring users to set a new password on a regular basis means that changes to the underlying systems can be rolled out transparently. Rekeying (eg. encryption of the typed password with new, stronger algorithms), changes in complexity requirements, and refresh/propagation/resynchronisation of details across systems can all take place without needing to carry out an explicit user campaign.