You may have heard that Microsoft changed their guidance on password expiration policies. On May 23, 2019, they released a blog post explaining their decisions.
As cybersecurity experts already know, the average human has a password that is easy to type and therefore, easy for a computer to guess. And forcing them to change the password every few months doesn’t change the fact that their password is easy to guess. Modern computers can brute force an eight-character alphanumeric password in hours. Changing one or two characters in that eight-character password isn’t going to make it any harder.
So the question is: should you follow Microsoft’s guidance and remove your password expiration policy? Well, it’s complicated.
Password expiration policies are just one brick in your cybersecurity wall. You shouldn’t take a brick out of your security wall unless you have defenses that can compensate. You should consider the greatest risk factors for your organization and develop a cybersecurity strategy to mitigate those exact risk factors.
Why Eliminate Password Expiration Policies?
Microsoft has an entire section in their blog post that answers this question, but the crux of their argument is that password expiration is a low-value security measure. Thus they no longer recommend a password expiration policy as part of Microsoft’s Cybersecurity Baseline.
Microsoft isn’t telling you to turn off all your password expiration policies today. They are telling you that you need more than just a password expiration policy in your strategy.
Should I Remove My Password Expiration Policy?
Most organizations should keep their current password expiration policy in place for now.
Consider this simple question: What happens when a user’s password is stolen?
Password policies help mitigate the persistence by cutting an attacker’s lifeline into the network. The shorter the password expiration policy, the shorter their window to compromise systems and exfiltrate data (if the attacker hasn’t established another entry point). Microsoft believes that these same password policies designed to rotate out compromised credentials are actually encouraging bad practices such as reused passwords, weak password iteration (Spring2019, Summer2019, Winter2019), post-it noted passwords, and many others.
In short, they believe that the risk introduced by bad password practices are greater than the risk mitigated by password expiration policies. We here at Varonis sort of agree, but there has been a severe misrepresentation of what it takes for a company to be ‘No-Password Expiration’-ready.
This high-usability security change is easy to pounce on, but you could end up increasing your risk profile if you lack other industry best practices such as:
- Passphrases: Enforcing long (16 characters or more) and complex passwords make it difficult to brute force. The old standard eight character password minimum is crackable in a matter of hours for modern computers.
- Least privilege model: In a world where persistency is non-exipiring, knowing that user’s have access to the least amount of data possible is crucial.
- Behavioral monitoring: You should be able to detect when an account has been compromised based on deviations in normal login and data access activity. Static analysis alone won’t cut it.
- Multi-factor authentication: Even if an attacker has the username and password, multi-factor authentication acts as a major hurdle for the average hacker.
Are Passwords Finally Dying?
That is the question, isn’t it?
A few technologies are looking to replace passwords as the de facto authentication protocol. FIDO2 stores identity data on a physical device. Biometrics, despite it’s “unique but not private” concerns, is also an option.
The new paradigm seems to be authentication methods that can’t be accidentally shared or easily stolen.
So far, those technologies haven’t broken through the enterprise into the mainstream.
Until then, consider keeping your password expiration policy in place and your users inconvenienced just a little bit, for the greater good.
How Varonis Helps with Credential Theft
Varonis provides additional protections to help reinforce your password policies. Varonis monitors file activity, Active Directory events, perimeter telemetry, and more to build a user-specific baseline. Varonis then compares that baseline to current activity and matches current behavior to a Varonis threat model that could indicate a compromised user account.
The Varonis Active Directory Dashboard highlights potential accounts that are at risk from compromise, like service accounts with administrator access, non-expiring passwords, or passwords that are not required to comply with password requirements at all.
Varonis threat models detect all sorts of login anomalies, like odd login times, weird geographic locations, logins from a new device, potential brute force attacks, and ticket harvesting.
Until then, consider keeping your password expiration policy in place just a little bit longer.
To see Varonis in action, check out the Live Cyber Attack Workshop. We’ll show you how to execute an attack and then demo how to detect and investigate the attack using the Varonis platform. It’s run by our expert team of incident response and forensics pros with 8 live sessions every week!