Password expiration sucks!

Just a few moments ago, I was trying to commit a minor fix to the NBD subversion repository. However, suddenly the server refused my commit; the password which I knew to be right wasn't working. So I loaded SourceForge.net in my browser and went to the admin link there to find out whether I had perhaps fucked up my own commit rights. I've been known to do that before. Doing so of course required me to log in.

Which revealed the problem that was causing this in the first place: apparently my password had expired. I had been using the very same password since ages, but for some reason unknown to me, sourceforge has now decided that they want to introduce password expiry.

Of course, good password management is very important if you want to avoid issues with people stealing your passwords. For that reason, I usually generate my passwords with pwgen -s 15, which generates passwords that are impossible to guess—one example of an actual password that I have used in the past (but that I do not have in use in any other system anymore today) is qChjZeWIbSDGON/. The hard part is, probably, to memorize that; for that, I have a pretty simple method: I enter 'gpg -o ~/foo' and enter my new password. Then I pick out some random .jpg file somewhere on my hard disk, and concatenate the gpg data to that file. It is usually still possible to view the file in a viewer with that extra data added to it; IME, most image viewers have the ability to view all data in a corrupt JPG-encoded image that occurs before the corruption—which in this case, will be all of the image. As such, if you don't know which file it is, and you don't know my GPG password, chances are low that you'll find it and steal my login data. Additionally, of course the .jpg file is either removed or restored to its original state when I memorized the password, and finally I also update my GPG key and the password of the system that contained the file with the encrypted password to be using the same new password, so chances of stomeone stealing it get even lower.

However, even with this method, it still takes me a few days or weeks to memorize it. Also, synchronizing the new password to all the systems and websites on which I have an account takes a while. For that reason, I prefer not to do it too often.

With that in light, it is slightly problematic to have an account on a system that has a password expiration policy in force, because a) this makes it impossible for me to use the highly secure passwords that I use "everywhere else" on these expiration-using systems, b) because the average expiration policy is 2 months, making it impractical for me to generate secure passwords for these sites as well (by the time I memorized the new password, we're already at least halfway through the two months if I need to use that password fairly regularly—or it might even be too short if I don't use the password regularly.

The result of the above is that password expiration policies, in my case, force me to use less secure passwords of which I'm sure I can remember them—old passwords which I used before I had a GPG key or had learned about pwgen. I still use those on websites that require me to enter a password but which I do not trust to handle my passwords in a secure manner; I don't want to give these sites the password to unlock my gpg key, for example. The problem with these passwords is that they are easy to guess; they're usually not some unintelligible bit of random letters, but are six to eight characters that actually have a meaning.

In fairness, I did have one of those old and insecure passwords in use at sourceforge, because I indeed didn't trust them with my secure passwords. If they base their password expiration policy on the strength of the password, then this whole blog post should be ignored.

But in general, it is my point that password expiration policies do not improve security at all. It forces people to use passwords that they can quickly memorize (otherwise they're trying to memorize all the time), and it does not give people who usually pick easy to guess passwords any incentive to pick better, harder to guess passwords. On the contrary, in fact.

Password expiration policies suck.