A quick Google search on password compliance will turn up any number of articles on specific regulatory requirements, best practices and industry standards. The National Institute of Standards and Technology (NIST) has a 40 page offering on Password Management and Recommendations (NIST 800-18 Draft), and there are numerous regulatory guidelines for SOX, PCI-DSS, HIPAA, GLBA, and CJIS with each one offering their own specific aspects of what is required for compliance. It’s not too much of a stretch to say that almost all IT professionals understand the foundations of good password management and compliance. Elements like password length, complexity, and strength are all common components of compliance - and the backbone of a good password policy - but one aspect of this compliance is often underrated: the password expiration policy.
Regulations are great at setting the expectations and “rules-of-the-road” when it comes to writing, implementing and incorporating best practices into your policies and procedures, but they don’t often do a very good job at anticipating and reacting to human behavior when it comes to compliance and doing the right thing.
As an organization, you can decide to set the bar very high with regards to your internal policies - including your password expiration policy and the like - to make sure that they easily exceed regulatory expectations. While there is merit in this approach in that you make every compliance auditor as happy as possible, you need to be keenly aware of some of the unintended consequences that a stringent password policy can engender.
Password Expiration Policy - Will They/Won't They
Many IT professionals would argue that policy compliance and policy efficacy can sometimes be at odds, especially where the password expiration policy is concerned. There is a growing school of thought that an overly aggressive password expiration policy can actually weaken the efficacy and strength of a user’s passwords as a result of password fatigue.
The constant setting, resetting, and syncing of passwords can oftentimes drive bad behavior as end users struggle to remember their latest changes. Frustration and lack of productivity (while waiting for a password reset) can oftentimes lead to poor practices, such as writing down passwords on a sticky note, using the same password across multiple systems, or even seeking their own solutions outside of the company's sanctioned software list (e.g. having their work email forwarded to a personal Gmail account).
Another consideration is from an IT helpdesk perspective. An overly aggressive password expiration policy can lead to increased call center volumes as more and more end users seek manual password resets. There is a fine line between compliance and over compliance that can lead directly to a suboptimal user experience and an increase in helpdesk costs.
Compiled using data that was pulled together via Gartner, Forrester, and the META Group, the following table represents a possible cost scenario if a company were to experience just two (2) additional password related helpdesk calls a year, on average. The focus of this table lies on the average number of yearly helpdesk calls, those calls directly related to password resets, and the average cost per call. With this information, you can quickly calculate the potential cost impact of being overly aggressive with regards to your password expiration policy.
Words from the Wise - Reading the Data
My old college statistics professor used to love to tell us: “Figures lie and liars figure…” which was his way of grounding our minds in the world of reality. He always cautioned us to apply some common sense when it came to telling a story with just data and statistics. All these years later, I still carry that lesson with me and recognize that real world experiences often color the black and white world of data.
Some folks in the IT and finance world could make the argument that the $45k that we just calculated is “soft” and/or “sunk” cost, as it assumes that helpdesk personnel are already being paid a salary and they are employed specifically to help users deal with day-to-day issues like password resets. They have to do something while they’re on the clock, right?
These same folks might also posit that these calculations only work if you accept the premise that the helpdesk agents are always at full capacity: working 60 minutes of every hour. As such, these additional calls would lead to overtime cost or hiring more associates.
From a practical application I can agree with that. In my example, maybe $45k is the worst case scenario, but knowing that, I would also apply some logic and say that even if I was only correct by half, my estimate would still show a yearly expense well north of $20k. This doesn’t even factor in the lost productivity being experienced by the end user who happens to be waiting for help.
The Password Expiration Policy - Bottom Line
With regards to password policies and best practices, there is no “one size fits all” recommendation. As we noted above, the industry regulatory guidelines don’t always consistently sync-up. The more you read out in the blogosphere, the more opinions – not to mention confusion - you get. Our recommendation is that if your policies dictate stringent adherence to having your users regularly change their passwords, try to give them the tools that will make them successful and drive proper behavior. Perhaps give them a method for resetting the password that does't involve the helpdesk at all.
The NIST’s 800-118 guide on password management does a very good job of outlining the different types of software tools available to organizations that can help them implement a strong authentication solution. These tools go a long way towards establishing an optimal user experience, while maintaining policy and regulatory compliance alongside digital asset protection.
In the NIST guide, they break down the usefulness, strengths and weaknesses of password management technologies like single sign-on (SSO), self-service password management (SSPR) and password vaults (skip to Table 4-1 of the publication to get the details). At the end of the day, it all comes down to your organization: what numbers mean the most to you, and what solutions are out there that can take the nightmare and expense out of something as trivial as your password expiration policy?
Don't worry, we're happy to help!