Friday, April 10, 2009

Just Say No to Forced Password Changes

Don't force web application users to change their passwords. Instead, require strong passwords from the outset. I feel sorry for users when I see strong password requirements with forced password change after a certain time. The aggravation and inconvenience for users is not worth the trouble. In fact, for web applications, forcing passwords changes may actually increase the chance that passwords will be compromised. The reason is in how a brute force attack is done: a malevolent person with a valid username systematically tries every possible password combination hoping to get a hit. Depending on password complexity, it could take decades or longer.

Let's say the minimum password length for a web application is 8 characters, and a certain user has chosen an initial password of "muiylmo9". Now assume a brute force attack on that user's account is launched, where a password of "aaaaaaaa" is tried, then "aaaaaaab", then "aaaaaaac", and so on. Some time after this attack begins, the user is forced to change his password and he chooses "aciylmo9". The result? The user's password is now more likely to compromised earlier on in this attack! The user's account would have been more secure if the password had never changed. This might be a simplistic scenario, but I think it demonstrates the dubious nature of it all.

Forced password changes make more sense when passwords are stored in a file of some sort (e.g., Apache HTTP Server or Windows) that could be stolen and brute-forced in "offline" mode. If a password is cracked in that scenario, the account may still be safe if the user has changed his password.


Philip Wolfe 7/08/2009 1:16 PM  

Kind of...

You choose an example that supports your logic. The reason to force password changes even on web apps is to thwart attackers who are using an account without the account owner's knowledge.

The "number of failed attempts" protection will protect against brute force, not someone keeping the same password for 10 years.

Dave Ferguson 8/26/2009 4:00 PM  

Good point, I did not consider attackers who are stealthily using an account without the owner's knowledge. But carry out the thought in your mind... if that is happening, the forced password change would affect the attacker too, and he could very well change it to a value of his choice, no?

  © Blogger templates The Professional Template by 2008

Back to TOP