Monday, 14 November 2011

Tweet from 2020:The PCI DSS finally dropped requirement to regularly change passwords

I hate passwords! There are two types of users:
a) those like me who have many passwords, almost one for every application
b) those who have one password and use it everywhere

Another problem with the passwords is that many websites and security standards require password changes.
For example:

  • PCI DSS states "8.5.9 Change user passwords at least every 90 days."
  • ISO27001:2005 Annex A includes "A.11.3.1, Password use: Users shall be required to follow good security practices in the selection and use of passwords."
  • ISO27002 (Implementation guidance) states: "11.3.1 Password use: change passwords at regular intervals or based on the number of accesses (passwords for privileged accounts should be changed more frequently than normal passwords), and avoid re-using or cycling old passwords"

Now, let's ask the question. What is the threat that the password change is trying to address? If a password has been compromised than it will likely be used immediately. If the compromised has not been spotted, than the forced password change later is going to do little for the security of the data!

I believe the better policy should be:
  1. Users must choose secure passphrase they can remember and not to reuse it on other applications
  2. Passwords must be changed when a compromised is suspected
  3. Password lockout implemented and monitored to catch random brute force attacks
  4. Monitoring of the potential password compromised must be implemented, for example in SIEM
Ultimately, we need to steer away from passwords and give users more convenient and secure means of authentication. This could be implemented by a combination of certificates, smartphones and biometric authentication.

So, I honestly hope that security standards will recognise that password change without a reason is not a good control!


Post a Comment