Archive for March, 2011

Online passwords: why don’t we have to change them periodically?

Posted in Online security, Password, Security on 2011/03/26 by mram

If I look at the password policies of the websites and services I visit online, then I notice they are about the same as the ones I find within companies. Of course there are bad examples, but most of them require that a password:

  • is at least 8 characters in length;
  • contains both lower and upper case letters;
  • contains at least one number;
  • contains at least one special character.

This is a Good Thing (TM) as with these rules you are forced to create a password that we consider to be strong. Strong passwords results in the password hash being hard to guess or crack in the case a hacker compromises the web server. And as we have seen website compromises happen a lot, even to the really big websites including the hoster of this blog.

But, there is one really big difference with the password policy in your office: in the office you are most likely required to change your password periodically. I still have to find the first website that enforces you to change your password periodicallly.

By the way, I bypass the option of using OpenID or some other federated online identity solution. I simply accept that websites with passwords will be with us for another few years.

Bad thing?

Is not having an password expiry function on online accounts a bad thing? I do think so, at least it is for the websites that you regularly use or are otherwise important to you. Why is this bad? Well, simply put it limits the time an attacker can misuse your account when compromised. And comprises happen as we have just seen.

Accounts are a potential threat for the IT systems as they provide some level of access. So, requiring you to periodically change your passwords ensures to the IT systems that even if an attacker is able to intercept someones credentials, or crack someones password, the attacker can only use it for the time the compromised password is the same as the current password.

This is many times combined with an account lockout procedure; when not having logged on for some time your account will get disabled. This is normally done to prevent old accounts to remain active (of employees that left the company for example) and to ensures to the IT systems that you still are an active user and that you need your access.

Both measures boil down to the thinking of ‘the less accounts on the system the better’. Both are impact limiting factors that are implemented by the ones that feel the pain when something goes wrong: the owner of the IT systems.

Online we feel the pain

But in our online social world this is turned around. We as end users feel the pain when our accounts are hacked, not the website owners. Their entire business model is based on people having accounts on their websites, it’s not seen as a risk. Having old accounts – even hacked ones – doesn’t hurt them.

If your account is hacked an attacker now has the ability to intervene with your online social life, or is able to see your financial data or even order something at that web shop. And to make it worse, we are totally dependent on the implemented security measures of the website to protect our accounts.

The website that provides us with the service will not feel the pain if a single account is hacked. By the way I say ‘a single account’ as they of course do feel the pain when their entire websites and all accounts are hacked. But in that case they had a bigger problem and a periodic password change policy will not help them.

Website owners don’t care

The important thing here is that the web sites don’t really care if your accounts gets hacked, only you care. So why should they include a policy that requires you to periodically change your password? Well, from their view point there actually are some reasons why they don’t want to:

  • There is no reliable password recovery procedure that makes sure they are contacting the real you. There is no help desk you can call and that can ask you your secret question. Forgot about sending an email as you probably have the same password for your email as you have for your online accounts (if so, you are an idiot and should start changing every password now!);
  • It is not a given that you use the service every day as you do with your computer in the office. So you may not be warned in time that your account will expire. This however can be easily circumvented by sending a simple informative email.
  • Together with the previous: website owners don’t want to scare users away. So if you use a service a few times a year, and you can’t log in because of the password being aged out or because they keep receiving emails about password aging, vendors may think that may scare the customers away as their service is less easy to use;
  • Vendors are scared to send out emails to their users about anything that has to do with passwords, as such actions may also be used by social engineering attacks. The easy choice then is to never send out emails about passwords, so a social engineering attack really stands out as soon as it happens.

So, nothing to win here for the website owner.

The only reason why they should include an account expiration function is because we as end users want them to! I want my online identity to be as guarded as much as possible. An account expiration is part of a good password policy. And if I’m not periodically reminded of the fact that my password hasn’t changed in the last few months, I will forget and end up with the same password as 5 years ago. And as website are constantly under attack, the security of my online identity is depending on the success of the security measures of the websites. I don’t like being fully dependent.

Solution

I want the website to remind me of my aging password. Yes I can remind myself using an agenda, but I think it’s redicilous that websites don’t see this as something they should do.

Maybe I don’t want the reminder for all websites that I have an account with, but at least for the ones that I find important as they store financial data (luckily my bank has two factor authentication), as they have parts of my credit card data as I frequently order stuff at their web shop, or as they area part of my online identity (WordPress, LinkedIn, Twitter to name just a few).

So, dear website makers. Please add a little tickbox to your ‘accounts’ sub site that allows me to remind myself to change my password. A reminder at login would be great and even a simple email that says ‘You haven’t changed your password in X days. Remember to do so the next time you login.‘ The email doesn’t need to have a hyperlink to your website so a social engineering attack is still less likely to happen.

Even if this is optional I would be very happy and I will respect you as a website that sees online security as a good thing. Just give me the option. Please!?