Let’s start this piece with a question for ourselves: do we still need password expiration as a security measure? In today’s life science industry, especially the pharmaceutical sector, a number of compliance reasons, guidelines, and agency regulations are responsible for an organization’s requirement to have their employees change their passwords every so often. It is now fair to say that we arrived at a point in time where most of the reasons behind the password expiration policy seem obsolete.
The first reason why that is becoming more evident is a brief look into the history of password policies. Decades ago, it was estimated for a computer to take up to 90 days to figure out the average password hash (calculation based on the year 2000 Intel Pentium III CPU with 1.500.000 guesses per second and an 8 characters passphrase in an offline scenario). That translated into the thinking that users should change their passwords every 90 days. As time went on, this habit transitioned into a guideline and subsequently became a requirement for many different standards from a security point of view.
In the present digital landscape, the premise of needing nearly 3 months to make someone’s credentials useful is no longer relevant. If you would conduct a risk-based analysis, you will potentially determine that a password expiration time is far more harmful and actually increases your risk level, which was shown by an empirical study of the University of North Carolina. Also problematic becomes the notion of organizations and regulations not to keep up with those rapid changes in the digital era. Especially good practice guides continue to promote outdated and harmful practices. Fortunately, this is something that is slowly becoming less and less the case.
The second reason is an outdated threat model. Most of today’s passwords can be cracked in the cloud, simply because their attributes are so average. Adding to that, password cracking is no longer the big risk, rather so-called data, and password harvesting, social engineering and phishing are what pose a great threat to companies. Since the threat model changed and once your password is compromised, your system can be vulnerable in literally seconds. Perpetrators are not waiting for a period in which you would be able to change your password; they are going to make use of it right away. So, by the time you finished changing your password, they are long gone with all the information and data they could get.
In general, password policies are meant to decrease such risks. In the case of password expiration, it might as well be the exact opposite. You would think mitigating security or data integrity risks by requiring a password change works. In reality, this requirement will just make employees increment that number 1 at the end of their password with another character. Perpetrators know this as well as anyone. Funnily enough, they also know about typing the password one keyboard row higher. A password history won’t stop them either, because a paper by several professors at Carnegie Mellon University showed that people's choices of password structure mostly follow several known patterns. That’s why social engineering is such a threat.
This ties perfectly into another reason, mostly overlooked, which is behavioral costs. Simply put, changing passwords cost money. There has been a study at the University of College London, which documented that nearly every behavior has an associated cost. And having every employee routinely change their passwords is not a small one. Costs include the time people spend on actual changes, time on help desk tickets, and the cost to your governance program and company culture. It should make you wonder why employees are not keen on a security program or why they keep writing down passwords on sticky notes.
Easy to Remember, Hard to Guess
An easy way to make things more secure is to actually make it easy for employees to create and remember passwords.
So let us talk about a good practice approach that we at GxP-CC recommend and what it is that you can actually do to have a properly secured environment:
Create organizational policies based on facts and not just on what guidelines and regulations give you. When you are trying to enforce a requirement, make sure it has a good reason as to why. Don’t make employees stick to outdated security policies. They are less likely to buy into the program, which in itself can have adverse results on governance aspects.
When you face compliance regulations that require password expiration dates, think about equivalent controls that compensate for this single requirement. Also, document your reasoning.
Encourage the use of long passphrases. Length and not password complexity is the new entropy. Here, entropy is a measure of how unpredictable a password is.
Make sure you have to have each account secured with a unique password. This only compromises one system, and not all, at the time of a security breach.
Multi-Factor-Authentication (MFA). I think that speaks for itself.
The good news is that there are already people working for a better policy on passwords, for instance, Microsoft's Dr. Cormac Herley (and see here the latest Microsoft Security Baseline) and people from the UK National Cyber Security Center. Guidelines and regulations started catching up. The NIST SP800-63b password guidance states that there is no longer a need for password expiration (as long as the password is not compromised, see section Section 188.8.131.52), and so do the password guidelines of the UK Government. Even the Federal Bureau of Investigation (FBI) made recommendations. For our german readers, check out the newest version of the IT-Grundschutz Kompendium of the Bundesamt für Sicherheit in der Informationstechnik (BSI). In the past, Section ORP.4.A8 stated that passwords should be changed regularly. Now, this recommendation is no longer part of the compendium, nor is the mentioning of basic password complexity rules.
To Sum Things Up
In a short conclusion, change is happening, which is a good and natural thing. Although it is most likely that the arms race on password policies, or for that matter security in general, will keep ongoing. But with making use of empirical and behavioral studies, big data analysis, advanced methods and tools, and of course improved governance programs, we are still able to adhere to compliance regulations without compromising systems or data. Because ultimately, those are tied to product quality and patient safety.
If you are interested in this or any other compliance topic and you feel the need for assistance, do not hesitate and contact us directly. With decades of practical industry experience, GxP-CC consultants can help tailor your practices to stay compliant.