Wait What? We don?t have to change passwords every 90 days?

Published: 2017-05-17
Last Updated: 2017-05-17 21:56:25 UTC
by Richard Porter (Version: 1)
2 comment(s)

/. Recently published a post covering a draft NIST Standard that is in review [1]. This handler thought it would cause a disturbance in the force, but so far no one is discussing it. One of the big stand out changes is no more periodic password changes [2]. There are several others as well, and CSO Online has a fantastic summary review [3].

There are some clear differences that stand out right away in the introduction. As with most things, standards evolve as we learn.


Original introduction (first 3 sentences)

“ Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system. E-authentication presents a technical challenge when this process involves the remote authentication of individual people over a network. This recommendation provides technical guidelines to agencies to allow an individual person to remotely authenticate his/her identity to a Federal Information Technology (IT) system. [4]”


Draft Publication Introduction (first 3 sentences)

Digital identity is the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service, but does not necessarily need to uniquely identify the subject. In other words, accessing a digital service may not mean that the physical representation of the underlying subject is known. [2]


The new draft goes on from there to outline digital identity and attempts to clearly define access and uses more risk based language.

One clear change that will shock users is the removal of periodic password changes. The handlers agree that a strong review of this draft is in order for security professionals as we can hear the users now:

“Wait, you have been forcing me to change my passwords ALL THIS time, and now your saying it is not needed?”

Another section that should be reviewed and discussed deeply is 5.2.7 Verifier Compromise Resistance. According to the section there should be some mechanism to verify compromise resistance. One could interpret this to run passwords against breached credential databases, however this is not specifically called out  [2] [3].

In conclusion, this standard is a strong deviation from previous recommendations and should be reviewed for impact to your security practice. (There is that disturbance in the force we were looking for).

[1] https://it.slashdot.org/story/17/05/09/1542236/nists-draft-to-remove-periodic-password-change-requirements-gets-vendors-approval

[2] https://pages.nist.gov/800-63-3/sp800-63b.html

[3] http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html

[4] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf

2 comment(s)


I've thought periodic forced changes are counter productive for a long time.

* If someone breaks into a computer, the first thing they generally do is establish a backdoor. They then don’t need the user’s password.

* I have seen lots of malware that sets itself to autorun when the user logs in. It doesn’t need the user’s password. Changing the password won’t even slow it down.

* Some attackers create their own account if they get high enough access. They no longer care about the user’s password.

* Users will just change them in rather predictable ways, so even if the attacker did need it, it wouldn’t be hard to reacquire.

* The malware can install a keylogger that will effectively send the new password right back to the attacker.

Even Microsoft is coming around. "...Eliminate mandatory periodic password resets for user accounts..." (https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf)

And this doesn't even consider the biggest (although not the only one) threat is ransomware, which doesn't try to mess with passwords (yet).
Please note PCI DSS still requires a 90 day password change for any system inside a CDE, or capable of affecting the security of a CDE.

Diary Archives