On enforcing password changes: Don't!

Discussions
,
1

Who loves changing their password for work? Except for some lucky souls in Auckland (thanks to the excellent work of @lara), this is the reality every 90 days for much of the New Zealand health system.

How often does your main health organisation enforce password changes?
  • 30 days
  • 90 days
  • Yearly
  • Never (lucky soul!)
0 voters

As we are human beings, we don’t cope well with this. To mitigate the cognitive load, we tend to go for an easy-to-remember password that we eventually get to comply with overly restrictive character rules (usually communicated poorly), and append a nice little ‘1’. Every three months we simply add one to the digit at the end. For example:

  1. DHBsRock!1
  2. DHBsRock!2
  3. DHBsRock!3
  4. DHBsRock!4
  5. DHBsRock!5 and so on and so forth

The New Zealand Advice

CERT NZ recommends the following (emphasis mine):

1. Ask your staff to set strong and unique passwords instead of asking them to change their password regularly

Asking staff to change their password regularly is counterproductive to good password security. People choose weaker passwords when they know they have to change them often. For example, they might simply change their password from Password1 to Password 2. Instead, ask them to create one long, strong and unique password for their account.

If your system currently prompts staff to change their password on a regular basis, change the setting. Staff should only have to change their password if you suspect their account, or the business network, might be compromised in some way.

from https://www.cert.govt.nz/business/guides/password-policy-for-business

The UK: Very Similar Advice

This is from the National Cyber Security Centre:

Don’t enforce regular password expiry

Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.

Forcing password expiry carries no real benefits because:

  • the user is likely to choose new passwords that are only minor variations of the old
  • stolen passwords are generally exploited immediately
  • resetting the password gives you no information about whether a compromise has occurred
  • an attacker with access to the account will probably also receive the request to reset the password
  • if compromised via insecure storage, the attacker will be able to find the new password in the same place

Instead of forcing expiry, you should counter the illicit use of compromised passwords by:

  • ensuring an effective movers/leavers process is in place
  • automatically locking out inactive accounts
  • monitoring logins for suspicious behaviour (such as unusual login times, logins using new devices)
  • encouraging users to report when something is suspicious

from https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

The US Approach

Fairly typically for the US, these are buried in a very long document by the National Institute for Standards and Technology (NIST).

Fortunately, I found a nice summary of their 2021 password change advice:

2- Remove periodic password reset requirements.

This is one of the biggest frustrations for employees who are forced to change their passwords multiple times per year. Studies have shown requiring frequent password changes is counterproductive to good password security because people will choose weaker or common passwords if they are forced to change their password regularly. They tend to make simple, predictable changes — and bad actors quickly learned those patterns.

Microsoft also agrees that there is no point in forced password changes and will be removing that recommendation from its security recommendations.

from https://www.enzoic.com/nist-password-requirements

If your organisation still enforces mandatory password changes, please consider approaching your CIO and discussing this with them.

4 Likes
2

I can’t resist sharing this with you. https://www.youtube.com/watch?v=aHaBH4LqGsI Michael MacIntyre on passwords.

10 Likes
3

@KarenDay so hilarious I too was about to post that! It came up on my Facebook feed last night and I had a good google It’s too true !!!
@NathanK great post!

2 Likes
4

CDHB now allow 16digit non-expiring passwords which is great.

Azure AD with device biometric 2FA is pretty slick too. CCDHB have rolled that out for external webmail access. It’d be fantastic to see it working for any AD authenticated internal apps too though.

2 Likes
5

On a related note to changing passwords - is there any systematically collected empiric data showing that, in the context of a setup like CDHB’s (with firewall system requiring 2FA etc), long + strong + unique passwords reduces the risk of data breaches, compared with e.g. 4 character password?

7

The wider issue is that to be in the green zone, it’s outside the cognitive load of most individuals who are too busy to remember.

The use of AI, and selective brute force tactics using dark web data repository dumps of existing passwords will pretty much make password conbinations redundant. Green zone ones, matched against data dumps will render a smarter complexity of passwords able to be cracked in minutes.

The only alternative in reality is MFA combined with passwords. Passwords get you entry steps into system, MFA to ensure you have rights to do extra stuff .

10

I just so love this, thanks!!! I am appreciating apple reminding me to make my passwords more complicated and enjoy making nonsense phrases… definitely the password solution for me!

I laughed so hard… thanks for sharing, a perfect antidote to my Friday

3 Likes
11

@BeckyGeorge @darren.douglass does the MOH have a view on this? I am told that standards we are told to comply to as a DHB say regular changes rather than complexity…

12

The Health Information Security Framework sets out policy requirements for access control. Recognizing that each healthcare organisation is different.
The framework states the following requirement for use in organisational Access Control Policy’s (page 37).

• enforcement of passwords to a required complexity level based on the risk profile of the users and the information they have access to

https://www.health.govt.nz/system/files/documents/publications/health-information-security-framework-dec2015.docx

1 Like
13

The December 2015 date on that document attests to the fact that it might be time for an update! This is especially the case in the wake of the Waikato ransomware event.

And in the absence of stronger health-specific guidance, it would seem that NZ-based health organisations would be wise to rely on the CERT NZ password advice.

@shayne.hunter and @alastairk - can you offer any further thoughts on this?

1 Like
14

We had a good debate about this the other day. The points discussed

  • audits to compliance still recommend regular changes
  • will people that log on continuously really want to be putting in a long complex password each time
  • if you don’t change your password and you have any small breach that password stays out there on the dark Web increasing compromise risk
  • prediction that passwords are so easy to breach right now is this about safety or convenience

So we are meant to be clinical experts in data as well as digital. I’d love to hear of any audits showing the 2 options and measures…

15

What audits do you refer to, Alex?

The other points are solid concerns, but are pretty well addressed in the CERT NZ, UK, and NIST advice. In summary:

  1. Long is generally better than complex. ilikecyclingtomydhb is ‘green zone’ while Iride2wk! is ‘red zone’ as per Techie Girl from @derek.b’s post.
  2. A password manager can enable you to be in the green with minimal effort
  3. Multi-factor authentication (if done well) clearly improves protection - especially if the password is on the dark web
  4. Safety and convenience are both achievable. At the moment I fear that we have neither in most health organisations in Aotearoa New Zealand.
3 Likes
17

a late reply to this thread

  1. The HISF is in the process of being updated to be more of a practical toolkit than a framework. I agree with @NathanK that the current HISF is a bit long in the tooth and that will be addressed through that update.
  2. The CERT NZ password advice is sound.
2 Likes
18

Hi all. An update on how this thread let to change today. I used this thread to lead in to a discussion that has today led to our DHB agreeing to change its password policy. The things that helped? The logical arguments, links to solid information on policies, and the endorsement by @darren.douglass. Thank you all, your contributions on this thread are about to make the lives of a lot of clinicians a lot lot easier…

5 Likes
19

Really interesting to read this thread in my ongoing quest to be better informed.

I actually sent some early thread info on this topic to my employing DHB IT dept yesterday as an FYI.

Great to read that (the other) Alex has used this info to get an agreement for our DHB to change its password policy

The professional world we inhabit has an apparent abundance of expertise and evidence. As a practicing clinician it is encouraging to see examples of this being distilled into actual change.

2 Likes
20

Thanks other Alex. Yup. Took a while but we got there!

A

21

I’ve just had some correspondence from one of the larger private hospital groups which shows some encouraging (albeit only partial) shift in the right direction on this front:

Previously, specialists who were users at ********** were required to change their passwords every six months. From today, you will only be required to update your password every 12 months.

There is no need for you to do anything immediately, however when ******** next prompts you to update your password, your new password must:

  • Be at least 8 characters in length
  • Include a lower case letter, a upper case letter, a special character and a numeral
  • Not have been previously used

If you are in a position to influence the password policy at your organisation, remember that:

1 Like
22

Updated advice from Cert NZ, on their new helper website:

The gist seems unchanged, but it has just been reformatted / prettied up and hosted there instead.

23

MFA can make life very difficult for users unfortunately (especially patients with cognitive impairments or other disabilities). Perhaps there is a conflict of interest between organisations who want password changes, MFA, etc. to compensate for insecure/outdated systems and users who want to use a single memorable password and trust their organisation to secure their systems.

Logging in to anything is becoming ridiculous from a usability point of view. I’m 100% sure users will have to supply a username, password, PIN, text-message, auth app and physical key for everything soon because banks, governments, hospitals, etc. can’t secure their systems. It will take 10-15 mins to log into anything.

If you ever change your phone number, lose your key or your password, etc. you are in for a world of difficulty getting set up again!

1 Like
24

Quite right @chris.paton
In healthcare we rely on empiric and mechanistic data to support what we do. Has anyone seen empiric data showing that these password policies (which have non-trivial associated costs for clinicians) lead to improved outcomes for patients, or at least clinical workflows (e.g. that these password policies are associated with reduced workflow interruptions resulting from access by malicious parties)?