After over a year of effort, Ballot SC3 was just unanimously passed by the CA/Browser Forum. This is the first major upgrade to the Network and Certificate System Security Requirements to come out of the Forum’s Network Security Working Group. It contains several important improvements, but one is especially important: removing the requirement that passwords be changed every 90 days. Ballot SC3 allows Certificate Authorities to have a periodic mandatory password change policy, but states that in the absence of reason to change them (like evidence of compromise), passwords must remain valid for at least two years.
Many years ago, NIST recommended that companies require that users regularly change their passwords. The logic was that this would prevent attackers who compromised older passwords from being able to use them against current systems. This advice was widely adopted, and many security standards require passwords to be changed periodically.
Unfortunately, good passwords can be difficult for users to remember. They are even harder to remember if there are additional arbitrary complexity requirements like the need to include a capital letter, a number and/or a special character. Generating and memorizing a new, unique and strong password that meets all of these requirements every 90 days significantly exceeds the abilities of normal human brains. Research has shown that these mandatory password changes significantly increase support calls and the need for password resets.
People have adapted to these requirements in a variety of predictable ways. The capital letter is typically the first character, the number generally comes at the end, and the special character is at either end, between two components, or replaces a letter in a predictable way (e.g., ‘0’ for ‘o’, ‘1’ for ‘l’, or ‘3’ for ‘e’). When they are required to change their password, they also change their password in a predictable way, for example by incrementing the number or moving the capitalization to the next letter. It is not uncommon for users who are completely fed up with these requirements to use passwords like “Summer2018!”, a password which is quite likely in use by one of your users right now.
Because the changes are predictable, it’s easy to come up with an algorithm that will efficiently find a user’s new password given their old one. This research was published way back in 2010 (https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf). So, password change policies cause users to choose weaker passwords, increase support costs, and do not impose significant costs on attackers. This is exactly the opposite of what good security policies do.
Part of the resistance to changing the requirement was that companies often have to comply with multiple audit schemes. Undoing this requirement will take time. While Ballot SC3 allows Certificate Authorities to relax these requirements immediately, it gives them a two-year grace period in order to work out how to comply with the new requirement. Luckily, NIST has already published some excellent guidance in Appendix A of NIST SP800-63B, which correctly states that the most important characteristic of a password is its length, and that users should choose strong passphrases that they can easily remember, but attackers can’t guess. Lifewire presents an easy way to create a secure passphrase.
Some organizations have already updated their standards to comply with NIST’s new guidance, and others, including FedRamp, have indicated they expect people to comply with it in anticipation of future updates. The most common source of complaints about removing the 90-day password change requirements comes from companies who also must comply with the PCI DSS requirements, and I would strongly encourage the PCI Security Council to release guidance advising QSAs to take NIST’s new guidance around password policies into account, and specifically to no longer require that passwords be changed every 90 days. This would remove the need for companies to have to separately manage password policies for PCI and non-PCI systems, and would reduce the risk that unnecessary password changes lead to weaker passwords for PCI-compliant systems.
Unfortunately, the Forum’s Network Security Working Group’s mandate has expired, and has not yet been renewed under the CA/Browser’s recent governance reform changes. Hopefully, the success of this effort will lead to the re-establishment of the Network Security Working Group, so we can continue to make important and necessary changes to the Network and Certificate System Security Requirements.