Password Expiration Insanity | Dale Sanders | Healthcare Blogs Skip to content Skip to navigation

Password Expiration Insanity

February 19, 2009
| Reprints
Password expiration frequency has almost nothing to do with greater security

My password to a significant NIH funded program, whose program name shall be veiled so that I can rant without repent, is required to change every 60 days. Participation in the program is meant to stimulate collaboration and the spreading of goodwill among other goodwill spreaders, but its password management policies make me want to leap out my office window. Rather than doing that and creating a traffic jam on East Huron Street below, I’ll choose not to reset my password and thus end my collaboration in the program. Truth is, I have no fantasies that lack of participation will at all be noticed, but it gives me some sense of rebellious satisfaction to poke at that windmill anyway.

If anyone should be conservative about password management and reset frequency, you’d think it would be me. I was soaked in the waters of information security from the beginning of my career as an information systems officer for the Air Force in the Strategic Air Command. SAC’s motto was, “To err is human, but to forgive is not SAC policy.” Later, as civilian hired spooks for the National Security Agency, our team was responsible for dreaming dreams of every bizarre kind to hack into the command and control systems of the US nuclear weapons arsenal. One night, just to prove a point, we hacked the Joint Chiefs of Staff Alerting Network (JCSAN) from a payphone at Gilmore Lake Tavern in Bellevue, Nebraska and handed the phone to one of the waitresses. NSA renewed our contract. Everything professionally since those days has been pretty boring, frankly.

My point is: Password expiration frequency has almost nothing to do with greater security. The greater the frequency of change, the more likely people are going to store their passwords in non-secure ways, like sticky notes on their desks, or share passwords. We (IT and Informatics types) are driving our physicians and operations staff insane with password changes, and for no good reason, other than everyone else does it so therefore it must be a best practice. Caution: The best practice in front of you is actually the backend of a lemming.

The essential tenants to password management and effectiveness are, in order of importance:

· Account Activation and Termination: Clearly verifying and authenticating user identity and access rights is fundamental, as Yahoo discovered with Sarah Palin’s email account. Likewise, rapid and effective means for terminating accounts and resetting passwords is mandatory. This frequently boils down to an issue of simple coordination with Human Resources.

· Complexity: No brainer. Secure passwords should be a mixture of letters, spaces, special characters, case, and at least six characters long; preferably eight. Force your users to use a complex password, but then let them keep it forever and use it everywhere. And for gawd sake, change the default system passwords that come with installation of everything from software to network switches. “CHANGEONINSTALL” is pretty easy to hack.

· Limited Try Lockout: After five or six failed attempts, lock the account and force an alternate secure path to reset it. This is not to be confused with Limited Try Timeout, which expires a countdown timer between failed attempts to login. A timeout is better than nothing, but not nearly as effective as a full lockout.

· Auditing: Proactive audits of system logs, intrusion detection systems, and access control logs are a must. If your Security Managers aren’t checking and auditing for odd activity every morning, right after they brush their teeth, they should stop brushing their teeth and the check audit logs, first. Or... maybe they should brush their teeth with the audit logs…. Brilliant!

Put high frequency password expiration where it belongs-- in the backend of a lemming-- not on the backs of your physicians, nurses, and support staff.



Absolutely right! I hadn't really thought it out, but, of course, you are right. The password change requirement results in less security rather than more.

I have taken to using RoboForm with a complex but memorable master password, and its password generator to create obscure passwords for individual accounts. Robo saves those for me, so I don't have to remember them. It is the first thing I install on a new computer.

 Dale, I feel for you I'm the worst! (Or close, anyway) The other day I needed to use my alumni account to look something up in an online computer database and ended up having to e-mail the support desk to reset it. Well, that is, until I deleted the e-mail message with my new password. I would LOVE if I only had one code to wrap my head around (which needs a bit more coffee to function). It would be safer and more efficient, and I say that as a neurotic, paranoid person (who's to say they are not out to get you?) who is always afraid of giving out codes, but it's too much already. I can't take it!!


Common sense and experience make for a powerful combination. This post is instructive in its content, and as an example of accurately understanding and including human behavior as a dimension of the problem domain in a problem solving process. Thanks for the great post.

Nice posting, Dale.

Ever since I had a notebook computer stolen in 2007, I've hardened my personal approach to passwords. I use the acronyms of intentionally bizarre, made-up phrases, combined with equally bizarre numeric strings with special characters to make these passwords memorable.

I'm also using a lot more encrypted volumes, so that theft and drive failure no longer leaving me feeling naked and powerless. Great! So now I'm clothed and powerful.  Well, at least I'm clothed.

I've been using 'Encryption Anywhere' to keep my hard drive scrambled. That requires another lemming-esque process. We're on a "90-day password change required " policy. When I change my network/LDAP/VPN/mail/everything password, the Encryption Anywhere software has to detect the change and update it's knowledge of my password.  Unlike the normal propagation of passwords, the trigger for the change has to occur on the notebook computer itself.  So, If I change my password, say from a home desktop computer using Outlook Web Access, the notebook computer (which may not even be running) will stay with the old password.

About twice a year, this password change detection process fails.   It happens days after the password change. Occasionally, I get back to the notebook weeks later.  So, I'd have to remember both multiple passwords, and my device specific workflow relative to the password change date to figure out which password must be the correct one**.  That forces me to maintain a log of passwords, so that I can skip back to a previous password reliably.   As you pointed out, I might as well use the password "password" and write it on the computer.

I do keep that log on a different system that doesn't use Encryption Anywhere and the log is stored on an encrypted drive with a non-changing password. The whole process is too complex to describe so it's probably pretty secure. After having had my notebook stolen, though, this process seems perfectly worthwhile to me.


** The password has become three-dimensional, as the correct password selection depends on the knowledge of several passwords, and knowledge of the device usage pattern.  Obviously, it's too much to ask of mortals.   ... so we dont ask them.

I was speaking with Lindsey Jarrell at BayCare yesterday about his experience using biometrics (palm vein scanning) to identify patients throughout his System. It is so successful for the hospitals and such a hit with the patients, the obvious next step is to use it as authentication for staff. No passwords to remember, no log in, no stolen identity, your palm vein placed on a cradle and that's it, safe secure and easy. I wish I could use that to get onto my laptop. I have given up on security, just use the same easy password always, and ask the help desk to overide the re-set constraints so I can use the same one over and over. Then again, I never lock my front door at home either.