“CESG now recommend organisations do not force regular password expiry. [They] believe this reduces the vulnerabilities associated with regularly expiring passwords … … while doing little to increase the risk of long-term password exploitation”
This is actually sane advice if, and only if, you follow all of it! There is more….
In a blog post called The problems with forcing regular password expiry they explain that basically it’s a usability issue. Users cannot remember all the complex passwords they are forced to use, and worse are forced to change change regularly.
As an aside most complexity rules can be satisfied with $Password1 which when changed becomes $Password2 etc etc. Not exactly difficult to guess! I use this password generator for clients in need of passwords
To help they have issued a brilliantly clear guidance document called Simplifying Your Approach. It sets out the case for using a single complex password for users. It also gives what it calls Tips but I’d say should be mandatory in all Security Policies, I’ve extracted the essentials…
Tip 1: Change all default passwords
- Change all default passwords before deployment.
- Carry out a regular check of system devices and software, specifically to look for unchanged default passwords.
Tip 2: Help users cope with password overload
- Only use passwords where they are really needed.
- Use technical solutions to reduce the burden on users.
- Allow users to securely record and store their passwords.
- Only ask users to change their passwords on indication or suspicion of compromise.
- Allow users to reset passwords easily, quickly and cheaply.
- Do not allow password sharing
Tip 3: Understand the limitations of user-generated passwords
- Reinforce policies with good user training. Steer users away from choosing predictable passwords, and prohibit the most common ones by blacklisting. (see example above!)
Tip 4: Understand the limitations of machine-generated passwords
- Choose a scheme that produces passwords that are easier to remember.
- Offer a choice of passwords, so users can select one they find memorable
Tip 5: Prioritise administrator and remote user accounts
- Administrators must use different passwords for their administrative and non-administrative accounts.
- Do not routinely grant administrator privileges to standard users.
- Consider implementing two factor authentication for all remote accounts.
- Make sure that absolutely no default administrator passwords are used.
Tip 6: Use account lockout and protective monitoring
- Allow users around 10 login attempts before locking out accounts.
- Password blacklisting works well in combination with lockout or throttling.
- Protective monitoring is a powerful defence against brute-force attacks, and offers a good alternative to account lockout or throttling.
- When outsourcing, contractual agreements should stipulate how user credentials are protected.
Tip 7: Don’t store passwords as plain text
- Never store passwords as plain text.
- Produce hashed representations of passwords using a unique salt for each account.
- Store passwords in a hashed format, produced using a cryptographic function capable of multiple iterations (such as SHA 256).
- Ensure you protect files containing encrypted or hashed passwords from unauthorised system or user access