Microsoft recommendations for disabling password expiration: consequences and conclusions
As you already know, Microsoft has changed its password expiration policy guide. In May 2019, they posted a post on their blog explaining this decision.
Experts in the field of cybersecurity know that the average person has a password that is convenient to enter, and therefore it is easy to pick up a computer. Moreover, the need to change it once every few months does not change the fact that such passwords are easy to pick up. The power of modern computers allows brute force to select a password of 8 alphanumeric characters in a few hours. Changing one or two of these eight characters will not make the task harder.
Quite a lot of time has passed since the release of Microsoft recommendations, and it's time to draw conclusions, is it worth it to completely get rid of the expiration of passwords? In fact, not so simple.
Password expiration policy is just one of the bricks in the cybersecurity wall. Do not get one of the bricks of the wall if you do not have other methods of protection to compensate for this action. Therefore, it is better to focus on the largest risk factors in the organization and work out a cybersecurity strategy in such a way as to reduce them.
Why get rid of password expiration policies?
The argument of Microsoft on this issue is that password expiration policies are of little value in terms of information security. As a result, they no longer recommend their use and excluded this element from the structure of the fundamental level of cybersecurity from Microsoft.
But Microsoft is not asking to disable all of your password policies right away. They only inform you that your IS strategy needs more than just the expiration of passwords.
Should I delete the password policy?
Most organizations should leave the password expiration policy unchanged. Think about the following simple question: what happens if a password is stolen from a user?
Password policies help reduce the attacker's pressure by blocking his vital access channel inside the network. The shorter the password is, the less time is left to compromise the system and output data (unless the attacker used a different entry point). Microsoft believes that all the same policies, aimed initially at eliminating compromised passwords from rotation, in fact only encourage bad practice – for example, reuse and weak iteration (vesna2019, leto2019, zima2019) of passwords, cheat sheets on monitors, etc.
In a word, Microsoft believes that the risk from bad password practices is actually higher than the benefits of implementing expiration policies. We at Varonis partly agree with this, but in fact there is a strong misunderstanding of what the company needs to be prepared to reject such policies.
This change greatly enhances the usability of users and is easy to implement, but in the end there is a chance to only increase the overall risks if you do not follow other best practices in the industry, such as:
- secret phrases: Forcing long (16 or more characters) and complex passwords increases the difficulty of breaking them. The old standard of at least 8 characters is cracked in a few hours on modern PCs.
- minimum access model: in a world where constancy is never violated, it is critical to know that the user has access only to the minimum amount of data.
- behavior tracking: You need to be able to detect account compromise based on deviations from normal login and non-standard data usage. Just analyzing statistics in this case will not help.
- multi-factor authentication: even if the attacker knows the username and password, multifactor authentication is a serious obstacle for the average attacker.
Are passwords finally dying?
That is the main question, isn't it?
There are several technologies seeking to replace passwords as a de facto authentication protocol. FIDO2 stores credentials on a physical device. Biometrics, despite doubts about “uniqueness but lack of privacy,” is also a potential option.
A new paradigm is finding authentication methods that cannot be accidentally transfer or easy to steal. But so far, such technologies have not made their way from corporate
sectors in the mainstream. Until then, Varonis recommends leaving your password expiration policies unchanged, and consider the inconvenience of users to be small in the name of the common good.
How Varonis helps protect against identity theft
Varonis provides additional protection to enhance your password policies. We track file activity, events in Active Directory, perimeter telemetry and other resources to build a basic model of user behavior. Then we compare it with the current behavior based on the built-in threat models in order to understand whether the account is compromised. The Active Directory dashboard shows accounts that are at risk of compromise, such as service accounts with administrative privileges, a password with no expiration date or no compliance with the requirements specified in the policies. Threat models also reveal various variants of login anomalies, such as entering at a non-standard time of day, entering from a new device, a potential brute force or ticket harvesting attack.
Until then, it’s better to leave your password expiration policies in place.
And if you want to watch Varonis in action, sign up for our live demonstration of cyberattacks. We will show how to conduct an attack, and demonstrate how to detect and investigate such incidents on the basis of our platform.