Microsoft is right, mandatory password changes are obsolete

Microsoft has recently come out and said that mandatory password changing is ancient and obsolete. This goes directly against everything we were trained to think for the last couple of decades, and against most compliance directives including some of the most dominant security standards. And it is correct.

If anything, Microsoft hasn’t gone far enough: password changing is the visible tip of the iceberg – there are many other major inconveniences for our users that make bad security policy and should be done with.

One of the most destructive notions against good and practical IT security is the supposed axiom that security is the opposite of simplicity. This manifests in the popular “Dilbert” comics that depicts the typical office IT environment and has a recurring character called “Mordac the Preventer of Information Services”, which comes to capture the common belief that the IT security team is there to circumvent and ideally block all usable functions.

Like many things in life, the relationship between security and usability isn’t straightforward. In the very extremes that axiom seems to hold: if I can block all access to a machine (for example: bury a computer under 30 feet of concrete) that would probably make it as secure as it can ever be, and completely useless at the same time.

The other extreme is mostly correct too: if I give free and unfiltered access to a certain computer, it will be as insecure as can be: any wannabe hacker will be able to access any information on that machine (not to mention anyone passing by the server will be able to physically pick it up and take it) while anyone who wanted to use it for anything proper will have open and unfiltered access to it. Perfect usability with zero security, achieved.

As tempting as it may be to now draw a straight line between the “full security, no usability” and “no security, full usability” data points, the reality is that this is grossly incorrect in the middle. In most cases reducing inconvenience does not make something more secure and vice versa. No security feature shows it better than passwords.

Passwords were necessary to control access from the time humans started using non-human devices. Door keys are passwords that control who can access a house. Speakeasies used passwords to allow patrons to visit an illegal bar while blocking uninvited people from nosing around.

While with other humans we have a range of options, machines are not as flexible; it’s unlikely that a liquor store owner will card my grandfather, for example, but it’s near certain that the self-checkout machine will ask him for his ID every single time he buys a six-pack of beer. As we interact more and more with machines, passwords become a way we identify ourselves. In classic security theory we call this granting access based on “something I know”. That something is the secret password.

Playing the password game was reasonably ok while we were humans trying to prevent other humans from breaking into our systems; I choose a secret password and not tell you. The only way you can break into my system is try to guess what password I used. Not knowing what I know means you’ll have a very hard time guessing. There are more than 170,000 words in the English language. Good luck trying to guess the words I used as a password (assuming they’re even in the dictionary in the first place).

The problem with passwords surfaced once computers got involved in attacking other computers. Passwords are asymmetrical: humans are not good at remembering while machines have perfect memory. Humans take time to recall and type things while computers do it in milliseconds. So, as soon as those human attackers started getting assistance from computers, the game was skewed against us – like teenagers playing casual neighborhood basketball when suddenly one team asks their NBA player uncle to join their team. A computer that tries 1000 passwords per second will go through the entire oxford dictionary in just 3 minutes. It isn’t fun to play this game against computers.

This is where things took a bad turn. Applying the false maxim that “security is the opposite of usability”, security experts decided that making it harder for users to use systems via passwords will enhance its security. They therefore opted for more complex passwords; if dictionary words produce hundreds of thousands of combinations, adding digits (and then uppercase characters, and then symbols) adds order of magnitude of complexities. Suddenly computers need days, or weeks, or months to go through all combinations. Aha! Thinks Mordac the preventer, I may be making it somewhat difficult for my users, but I’m also blocking would-be attackers. What other choice do I have; after all, security is the opposite of usability!

What an unfortunate turn of events. Not only has this proven to not be true, but it also derailed the security world from finding a good solution to the problem (there are several). Let’s first see why it didn’t work.

The human brain likes simple patterns; the password ‘12345’ is easy to remember. So is the word ‘password’ (both were the world’s single most used password at some time or another). Team preventers decided to force users to use complex passwords, but humans adapt well. If ‘12345’ is not allowed, and ‘abcde’ is not allowed, I can use ‘abc123’ instead. Anyone who ever worked at a large IT company knows of dozens of clever ways to construct an amazingly simple password while bypassing the restrictions set by the password policy makers. In other words, an arms race started between users and their IT security people. The loser: both. The IT security staff was busy implementing advance password policies, the users were busy finding ways to circumvent these policies (not to mention posting secret passwords on post-it notes around the office) and attackers using computers were still able to crack these simple passwords in a variety of ways. In short – low security coupled with low usability.

Next came the single complex password era: as a user, I can come up with a single very complex password and remember it. The problem – I use dozens, maybe hundreds of services online and they all want me to use a security password. And so, this single (but very secure) password is used across hundreds of sites, and everything seems good for a while.

Until attackers compromise one of those online services. It doesn’t seem alarming at first: who cares if a cat meme generator site gets compromised by some hacking group? The problem is, of course, that my password is now exposed – the same complex password I use for my bank account and my main server at work. Computers have the ability to try my password against thousands of online services almost immediately, so before I hear about my password being compromised, dozens of my online services are already hacked. But what could I, as a user, do? I can remember a few simple passwords, or I can remember one complex password. But how can I remember many complex passwords? There is an obvious asymmetry between the attacker (using a computer) and the user (using a human brain). It’s not a fair match.

It took us more than 30 years to realize that passwords are the wrong direction. It could have been an instant conclusion if we just had gotten rid of the ‘security is the opposite of usability” false narrative. What if we come up with something that is easy for users to do but difficult for computers? Eureka.

As soon as we change the definition, solutions pop up everywhere. The Bank of America allows me to choose any 4-digit PIN that I want and then use it to withdraw real cash. They do that in a way that I can remember it and will not need to write it down; why is a simple 4-digit PIN (only 10,000 combinations) secure? Because it requires “something I have” (a debit card) in addition to “something I know” (the PIN code). Gmail and Facebook use the same method when they send you an SMS to confirm that it’s really you who is logging into the account – a mobile phone is “something you have”.

We also know how to block computers while minimizing disturbance for humans. The ‘CAPTCHA’ tests use abilities humans have naturally (like finding all the stop signs in a set of pictures) and computers struggle with. Another behind-the-scene protection is a temporary account lock-out after a few attempts. If you can’t enter your password within 3 tries you probably need a long time-out to quietly figure out what the password is before you can continue. Why allow a computer try millions of combinations an hour where we can limit it to 3 per hour, blocking these brute-force attacks while giving a very minor inconvenience to legitimate users?

We are just starting to move away from passwords, and unfortunately their inconvenience will be with us for a while. But realizing you have a problem is a necessary step towards a solution. The security world is just now realizing that inconveniencing users is not the right way to enhance security.

Our job as security professionals is to find those security solutions that provide maximum security with minimal inconvenience to humans; in a few decades it will be common knowledge that user convenience provides the best security. Let getting rid of passwords be the first step in that seemingly utopian direction.

Don't miss