Volume 34 Number 8
[Don't Get Me Started]
Change of Plan
By David S. Platt | August 2019
Pigs are flying. Hell is freezing over. And Microsoft is telling users they don’t need to periodically change their passwords anymore.
That sounds surprising, considering all the harangues we’ve received over the years about diligently performing password changes. But it’s true. Aaron Margosis described on the Microsoft Security Guidance blog (bit.ly/2Lq4jUB) how the security baseline for Windows 10 and Windows Server is being changed, stating that Microsoft is “Dropping the password-expiration policies that require periodic password changes.” Holy Toledo.
Margosis explains: “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.” He continues with a thoughtful discussion of the costs of periodic password expirations versus the marginal security gain from them. I especially admire how Margosis puts himself in the shoes of his human users, instead of hoping, futilely, that they’ll morph into something more logical. I urge you to read the entire piece.
He’s wrong about one thing, though. Users don’t use that shortcut “too often.” Every single person I’ve ever asked admits to doing it every single time. That’s what happens when you exceed a user’s “hassle budget,” which I discussed in my April 2013 column (msdn.com/magazine/dn166939.aspx).
It’s about time we got rid of periodic resets. They’re not benign. For a brutal description of the deadly consequences of too-frequent password resets, read the last chapter of “Do No Harm: Stories of Life, Death and Brain Surgery,” by English neurosurgeon Henry Marsh (St. Martin’s Press, 2014). It should be required reading for all security architects.
I’m glad to see Microsoft implementing ideas from what I’ve named the Rational Security Movement. I’ve been advocating this since at least 2003, in my newsletter at bit.ly/2xiK6I7 (which also announced the birth of my daughter Lucy, who will probably have her driver’s license by the time you read this). Bruce Schneier wrote about balancing effort versus return in his excellent book, “Beyond Fear: Thinking Sensibly About Security in an Uncertain World” (Copernicus Books, 2003). And Cormac Herley, of Microsoft Research, examined how users make those tradeoffs in a superb paper entitled, “So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users” (bit.ly/2LzdySL). In it, Herley decries “the profound irony that much security advice, not only does more harm than good (and hence is rejected), but does more harm than the attacks it seeks to prevent, and fails to do so only because users ignore it.”
These changes happen slowly, though. I attended a Harvard lecture given by Lorrie Cranor, a professor at Carnegie Mellon who studies the uneasy coexistence of security and usability (check out the video at bit.ly/2xfmV1t). She was then a visiting scholar at the U.S. Department of Commerce, at which she had to use six separate systems, with separate login credentials. She managed to convince the administrators of two of those systems that password resets were not cost-effective, but despite her research on the topic (see bit.ly/2RFKz0v), she couldn’t convince the others. She didn’t tell us, but I’ll bet you anything that she just bumped up the last digit of her expired password on those systems, like everyone else in the universe.
I’m wondering when and if this change will work its way into Microsoft’s internal systems. My friends there say that so far it hasn’t. But interestingly, most of them said, “I hardly ever use my password to log in anymore. I just use the camera on my laptop.” By this they mean Windows Hello, which authenticates users via facial recognition. As I’ve always said: Users are lazy, a natural and inevitable consequence of being human. (See my very first column, msdn.com/magazine/ee309884.) If you make something easier to do, people will jump on it. (In their haste, surrendering their biometric data without worrying about privacy, but that’s a topic for another day.)
I’m as human as anyone else. I’m going to make sure my next laptop has a camera that supports it, so I can stop using passwords, too.
David S. Platt teaches programming .NET at Harvard University Extension School and at companies all over the world. He’s the author of 11 programming books, including “Why Software Sucks” (Addison-Wesley Professional, 2006) and “Introducing Microsoft .NET” (Microsoft Press, 2002). Microsoft named him a Software Legend in 2002. He wonders whether he should have taped down two of his daughter’s fingers so she would learn how to count in octal. You can contact him at rollthunder.com.