Passwords

It is 3:50pm. There are ten minutes before class starts. You forgot to print your homework and the clock is ticking. You attempt to log into Oreprint, but fail. The title text pleads to you, making a strong emotional appeal: “Please login with your multipass credentials.” “Invalid username or password” blares across your screen in deep red and white as you try to hold back your tears. “Maybe I typed it in wrong,” you say again and again to comfort yourself, while you type out your password slowly for the seventh time in a different browser. You check to make sure you remember your password by attempting to log on to trailhead… successfully?! However, your password still doesn’t work on Oreprint and you are running out of time. Suddenly you have a vivid flashback to receiving an email titled “Upcoming MultiPass Password Expiration.” That could make sense, but every other multipass service that you use regularly works… So, having a valid excuse, you give up and tell your professor before class starts. Eventually, you get Oreprint to work again by changing your password and your professor still marks your homework as late.

Mines requires a password change once every six months, but does this actually increase security? Research suggests otherwise. Based on several studies, the National Institute of Standards and Technology advises against password expiration because research shows that mandatory password changes encourage weaker passwords. Most people, when required to change their password, change only one or two characters (usually by adding a character at the end or incrementing a number). An argument for regular password expirations is that if your account is breached, an attacker cannot have access for longer than the expiration period. However, if a hacker trying to access an account has an old password, the amount of guesses required to find the new password is tiny and there are existing algorithms that can do this. Therefore, forcing a password change does very little to increase security and can greatly inconvenience the users of a system.

Creating a blacklist of the most common passwords and utilizing a password meter that gives constructive feedback is much more effective at securing user accounts than forcing a password change every six months. I suggest that the CSM administration in charge of the multipass passwords review government password guidelines (NIST.SP.800-63-3b) and implement them as well as two factor authentication to increase the security of all multipass accounts.