The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Mandatory password updates are passe

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Spy agencies have befuddled me with their social media interaction in the last couple days, but I can’t get Acoustic Kitty out of my head, so, thanks, spy agencies? Reminder that under our abbreviated August schedule, we’ll see you next on Tuesday.

Below: The FTC threatened to sue an adtech firm over health-care location data, and Cellebrite and Israeli authorities come under pressure after a lawyer accuses the firm of selling phone extraction technology to Uganda. We’ve also got exclusive news on a personnel move.

Is your organization still mandating regular password changes? Most experts say it shouldn’t be.

Last month, Microsoft reminded tech administrators for its 365 product line — which includes programs such as Word and Skype — that they shouldn’t impose requirements for users to regularly update passwords.

“Password expiration requirements do more harm than good,” the July 29 memo said.

But depending on where you work, you might still have to change your password, say, every month or every few months. And if you search the web for how often you should change your passwords, an awful lot of the top results will say that you should change them frequently.

So which is it?

Much of the institutional wisdom today dictates that regularly rotating passwords is a vestigial leftover of a bygone mentality, one that contradicts modern thinking and research. While the idea of frequently rotating passwords might sound like good security on the surface, in fact it backfires for a few simple reasons.

“Most people, if they know they're going to have to change their password on a regular basis, they will pick a relatively weaker password and use a pattern for how they change it,”  Lorrie Cranor, director of CyLab Security and Privacy Institute at Carnegie Mellon University, told me. And weaker passwords that are easy to predict are catnip for malicious hackers.

During a stint at the Federal Trade Commission, Cranor urged a rethinking of mandatory password changes — all the way back in 2016.

What changed?

A landmark shift in thinking occurred in 2017, when the National Institute of Standards and Technology reversed 2004 recommendations for passwords to expire after 90 days. Microsoft dropped its own password update rules in 2019.

It’s not that you should never change your passwords; it makes sense, all agree, to do so when you know they’ve been compromised.

But humans are atrocious at passwords, for the most part. “123456” is regularly the most common password in any given year, and people who change their passwords when forced to do so tend to do the bare minimum, like changing one number.

“When you have an expiration rule … they become so predictable,” Alex Weinert, director of identity security at Microsoft, told me. 

The cybersecurity community’s view that regularly changing passwords is passe might now be commonplace, but it isn’t unanimous. Darren Guccione, CEO of Keeper Security, told me that he favors a 90-day expiration for people who don’t use password managers.

“Most people have no idea whatsoever or visibility into the dark web,” he said, noting that's the case despite companies like Google and Apple sending alerts to users when their passwords are known to have been compromised. “The majority of individuals that I’m speaking about, greater than 90 percent, will not know in real time if there’s a dark web threat that’s targeting any of their online accounts and that’s the biggest issue.”

It’s not entirely clear how many organizations still require frequent password updates. One 2021 survey determined that approximately one-third of organizations do. Anecdotally, many of the cyber analysts we spoke to said they’ve seen a general decline over the years.

The persistence of mandates has a few root causes.

Organizations’ information technology pros hold onto the notion that “nobody gets in trouble for having more layers of security,” Cranor said.

“I think people are worried, ‘Oh, if there's a security breach, and I'm not doing all the things that other people are doing, I could get in trouble as a security administrator, and so if other people are doing it, therefore I should do it, too,’” she said.

Weinert said “it's natural for people to be cautious” about abandoning password expiration policies under the pressure of small staffs, small budgets, plentiful attacks and compliance regulations.

What matters more

Those experts were unanimous, however, on the notion that password managers and multi-factor authentication are key to password security.

The problem is, those technologies present their own obstacles. Many organizations don’t provide password managers to their employees, Lisa Plaggemier, executive director of the nonprofit National Cybersecurity Alliance, told me.

An alliance survey last year found distrust of password managers. Plaggemier said distrust likely stems from early industry foibles — for instance, LastPass had its lone cybersecurity incident in 2015, and its encrypted vaults weren’t compromised — and consumer fears of placing a host of passwords in the hands of one master password.

It’s misplaced, she said, especially since multi-factor authentication — where users enter their passwords then have to verify their identities via another method, such as by a code sent to their mobile phone — doubly ensures the security of their master password.

Of course, nothing’s perfect. There’s user annoyance and fatigue toward multi-factor authentication, too.

The keys

FTC threatened to sue adtech firm revealing sensitive medical visits, company says

Idaho-based Kochava revealed the threat by the Federal Trade Commission in a lawsuit arguing that the FTC “wrongfully alleges” that Kochava is violating consumer protection laws, Cat Zakrzewski reports. The agency’s proposed complaint against the firm argues that the company is violating laws prohibiting “unfair or deceptive practices” by letting clients license data from mobile devices that could be used to identify people and track their medical visits.

The action comes in the wake of the Supreme Court’s decision to overturn Roe v. Wade in June. It also comes as privacy advocates warn that people’s digital trails could be used as evidence that they committed a crime.

Kochava, which said it received a proposed complaint from the FTC “in or about July and August,” blasted the action. “This is a manipulative attempt by the FTC to give the appearance that it is protecting consumer privacy despite being based on completely false pretenses,” Brian Cox, the general manager of the Kochava Collective, the company’s data marketplace, told The Post in a statement. The FTC declined to comment. 

Cellebrite allegedly sold phone extraction technology to Uganda

Israeli human rights lawyer Eitay Mack found that the Israeli company had supplied its tool for extracting cellphone data to Uganda’s police, Haaretz’s Oded Yaron reports. In a letter that Mack sent to Cellebrite and Israel’s Defense Ministry, human rights activists are calling for sales to be halted to Uganda, which has been ruled by President Yoweri Museveni for three decades. The sales to Uganda raise questions about the spread of technology and safeguards on its proliferation, as human rights groups have reported cases of abuses by Ugandan officials that include police. Cellebrite's tools can extract data from phones with passwords. The company has come under fire in the past for how its tools have been used by repressive governments.

“The meaning of the hacking of cellular phones in Uganda could be abduction, extortion, torture, execution without trial, disappearing and denial of liberty without a fair legal proceeding, for citizens who have cellphones, and also for their friends and relatives,” Mack wrote.

  • Cellebrite said it “is committed to its mission of creating a safer world through providing solutions to law enforcement organizations while ensuring legal and ethical use of its products. … We have developed strict means of oversight that will ensure proper use of our technology in the context of investigations carried out under the law,” Haaretz reported.
  • Israel’s Defense Ministry told Haaretz that it doesn’t disclose information about its policy for exporting such tools.

Hacker briefly took over a journalist’s Signal account

Hackers were able to send and receive Signal messages from Motherboard journalist Lorenzo Franceschi-Bicchierai’s phone number for around 13 hours this month, Franceschi-Bicchierai writes. Signal said the hackers targeted around 1,900 users of the encrypted messaging app after breaching Twilio, a service that lets organizations automate their communications.

“We are discussing that I was a victim of this attack to be transparent, and to alert anyone who may have chatted with me in those 13 hours that they were not talking to me, but hackers impersonating me,” Franceschi-Bicchierai writes. He’s calling on anyone who spoke with him in that 13-hour period to contact him so he can find out what they spoke about.

On the move

CISA’s Corman joins Claroty

Joshua Corman, most recently chief strategist of the Cybersecurity and Infrastructure Security Agency’s covid task force, is joining cybersecurity firm Claroty, a move first shared with The Cybersecurity 202.

Besides the task force, Corman worked on CISA's “Bad Practices” list for critical organizations and is known as the founder of I Am the Cavalry, a grass-roots digital safety initiative. At Claroty, which specializes in the intersection of cyber and physical security, he'll serve as vice president of cyber safety strategy.

Corman told me he left CISA convinced that the covid Task Force reduced the pandemic's death toll, and that with the Bad Practices list, “we enabled, potentially, a de facto definition of what negligence might look like” for insurance and regulatory purposes. Yet he also thought the task force ended too early in January, and said that CISA's work is sometimes still inhibited by cross-agency turf battles.

Securing the ballot

Missouri man indicted after threatening voicemail was left for Maricopa County Recorder (Arizona Republic)

Privacy patch

Period-tracking apps won’t say whether they’ll hand your data over to cops (Vice News)

Cyber insecurity

Apple security updates fix 2 zero-days used to hack iPhones, Macs (Bleeping Computer)

Global cyberspace

Fortinet: Use of wipers expanding beyond Ukraine to 24 countries (The Record)

Government scan

DOE invests $45 million in cyber technology that protects power sector (The Hill)

Secure log off

Thanks for reading. See you next week.