[BreachExchange] Why CIOs need to focus on password exposure, not expiration

[Destry Winant]

https://www.helpnetsecurity.com/2020/10/05/focus-on-password-exposure-not-expiration/

The cybersecurity market is growing even in the midst of the
pandemic-driven economic downturn, with spending predicted to reach
$123 billion by the end of the year. While disruptive technologies are
undoubtedly behind much of this market growth, companies cannot afford
to overlook security basics.

Biometrics may be a media darling, but the truth is that passwords
will remain the primary authentication mechanism for the foreseeable
future. But while passwords may not be a cutting-edge security
innovation, that’s not to suggest that CIOs don’t need to modernize
their approach to password management.

Mandatory password resets

Employees’ poor password management practices are well-documented,
with Google finding that 65% of people use the same password for
multiple, if not all, online accounts. To circumvent the security
risks associated with this behavior, companies have historically
focused on periodic password resets. Seventy-seven percent of IT
departments surveyed by Forrester in 2016 were expiring passwords for
all staff on a quarterly basis.

This approach made sense in the early days of the digital age, when
employees typically only had a handful of passwords to remember. I’d
argue that times had already changed by 2016, but we are certainly in
an entirely different landscape today. As digital transformation
accelerates and employees are faced with managing multiple passwords
for all of their accounts, it’s simply no longer realistic or wise to
force frequent password resets.

It’s time to retire password expiration

Both NIST and Microsoft have recently come out against forced periodic
password resets for a variety of reasons, including:

- Password expiration eats up significant resources and budget.
According to Forrester, a single password reset costs $70 of help desk
labor. When you multiply this by the average number of employees in a
typical organization, it’s easy to see how password expiration can
become an unwieldy expense and add significant pressure on
overburdened IT teams.
- It encourages poor cybersecurity practices. When users are
frequently asked to change passwords they typically create weaker
ones—for example, slight variants of the original password or the same
root word or phrase with different special characters for each
account.
- The practice impedes efficiency and introduces friction. Forced
resets have a negative impact on productivity as employees often
struggle to remember their passwords. One recent study found that 78%
of people had to reset a password they forgot in the past 90 days,
eating up valuable time that could have better been deployed
elsewhere. In addition, the frustration associated with frequent
changes can cause employees to seek a workaround or engage in poor
security practices like sharing passwords among colleagues or reusing
personal passwords for corporate accounts.

Exposure, not expiration

The fundamental purpose of passwords is to ensure that no one but the
authorized user has access to the account or system in question. As
such, it follows that password security has evolved from a focus on
expiration to a focus on exposure. If credentials are secure, there is
no reason for companies to incur the cost and other issues associated
with forcing a reset. It’s critical that CIOs adopt this mindset and
evaluate how they can continuously screen passwords to ensure their
integrity.

Putting NIST’s recommendations into practice

According to NIST, companies should compare passwords “ …against a
list that contains values known to be commonly-used, expected or
compromised… The list MAY include, but is not limited to:

Passwords obtained from previous breach corpuses
Dictionary words
Repetitive or sequential characters
Context-specific words, such as the name of the service, the username,
and derivatives thereof.”

Given that multiple data breaches occur in virtually every sector on a
daily basis, companies need a dynamic, automated solution that can
cross-reference proposed passwords against known breach data. In this
environment, it’s highly likely that a password could be secure at its
creation but become compromised down the road. As such, CIOs also need
to monitor password security on a daily basis and take steps to
protect sensitive information if a compromise is detected.

Depending on the nature of the account and the employee’s privilege
this could take a variety of forms, including:

Stepping up MFA or additional authentication mechanisms
Forcing a password reset
Temporarily suspending access to the account

Because these actions occur only if a compromise has been detected,
this modern approach to credential screening eliminates the
unnecessary cost and friction associated with password expiration.

Protecting the password layer in the new normal

Replacing password expiration with password exposure will be
particularly critical as CIOs manage an increasingly hybrid workforce.
With Gartner finding that 74% of organizations plan to shift some
employees to permanent remote work positions, it’s likely that users
will be creating new digital accounts and accessing different services
online.

A modern password management approach that continuously screens for
any credential compromise is the best way that organizations can
secure this complex environment while simultaneously encouraging
productivity and reducing help desk costs.