There is a problem with the system specification that periodically changes the password

ByYuri Samoilov

In the Internet service, there may be a notice that "It is recommended to periodically change the password to keep the account safe", but in order to prevent password identification and unauthorized login by a third party , "The password should not be changed periodically by the user," the government headquarters in the UK announced.

The problems with forcing regular password expiry | CESG Site
https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry

The specifications recommended to users that "password of account should be changed periodically" are commonly found in many information security policy of net service. However, the Information and Communications Security Division of the British Government Communications HeadquartersCESGThe password management guidance announced in 2015 clearly opposed to periodic password change.

If the password leaks, it is best for the account owner to change the password newly and invalidate the previous password in order to prevent attack by third part who illegally obtained the password It is clear. However, if the system forces the user to change the password many times in preparation for the password leakage, the convenience of the service will be lowered. Also, in most net services, it is necessary to set a random character string for as long as possible in order to make it difficult to identify the password. About 10 passwords can be learned somehow, but it is impossible to memorize dozens of complex passwords with any online service.

Many of the password policies forcibly change the password to the user, but in fact the user does not forget the new password, the old password and the password used by other services and It tends to use similar things. A malicious attacker could exploit the characteristics of these users and access the account illegally. Also, if the user is writing down a new password somewhere, it can also be an attacker's target. Even if you set a new password at any other time, if you forget your password, you will decrease the productivity of the user, and the service provider must reissue the password, which will increase the burden on both Become.

ByPerspecsys Photos

For the reasons stated above, CESG insists that it is better not to change the password frequently, "As the number of times to change the password increases, the vulnerability as a whole gets bigger and it becomes easy to be attacked Warning about the dangers of changing passwords. When you change your password many times, it tends to set a memorable string so that you do not forget your new password, so the strength of your password gets steadily weaker.

CESG proposes to companies and organizations "Do not force users to change their passwords on a regular basis". CESG thinks that it can reduce the vulnerability associated with password change by using it for a long time without changing the password. CESG insists that system administrators should "think about how to prevent effective access to accounts by third parties in a way other than password change". For example, if you use the system monitoring tool and display information on the user who logged in at the end, you can determine whether the cause of the login failure is the user himself or the attacker. If the cause is not the user himself / herself, it can be known that someone may be trying to access the account and can be easily reported to the user.

ByChris Amelung

The password operation guidance proposed by CESG can be seen in detail from the following PDF file.

Password Guidance: Simplifying Your Approach | CESG Site
https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach