I do a little bit of work for a friend on the side every now and then. He has a small online store set up with a credit card processor to handle processing payments for his credit cards. Every so often if he hasn’t gotten orders in a few days, he gets a bit antsy and asks me to log in and check to be sure no orders have gotten through without him getting an alert. Dutifully, I do this, as it usually only takes me about 30 seconds to make sure everything is working - as it always is.
However, a few months ago I tried to log into his virtual terminal account, I was treated to a ominous warning, informing me that my password had “expired” and asking me to enter my password again, as well as selecting a new password. I had never seen that before, so I checked to make sure I was logging into the right site and had not somehow managed to fall for a phishing attack. Sure enough, my password had “expired.”
Hmm. This is lame.
Maybe I’ll try to be smart with it and reenter the same password … nope. It’s smart. Can’t get around it. Because I had other things to do and this is already wasting my time, I concede defeat and create a new password for logging onto this site. Then, I do the unthinkable. Something that would make any security researcher and probably the “designer” of this system cringe in horror: I write the password down in a text file. Now anyone who manages to steal my laptop could potentially have access to this (of course, the file is encryped with the original password, though, so there is that).
Fast forward a few months. Another e-mail, another log into the virtual merchant terminal to check its status, another “password expired” message. Ah hah! Maybe I can set it back to what it used to be. No dice. It remembers all my old passwords. Every 45 days, I have to make and learn a new password or this website, which is a monumental pain since I only usually look at it about that often. I make another new password, and update my file. More of my time wasted. After 90 days with this processor, I have now had three passwords.
Now, I know how to create an encrypted file. But think about the users. The people using this are not computer experts. They are small businesses. Let’s say Bob at Bob’s Sunglasses has this account. But Bob doesn’t want to spend all day logged into his merchant processor account. Bob has sunglasses to look at! So, he gives the login information to his secretary Susan and tells her to process and fill orders as they come in. After 45 days, Susan gets a warning message one morning about changing her password. After spending an hour on the phone with tech support, she is able to figure out how to change the password.
Then, she does exactly what I did: she writes it down. Only she writes it down on a yellow post-it note along with the user name and account number (“just in case,” she says to herself) and sticks it right on the side of the monitor for everyone to see.
Automatically expiring passwords, from a security perspective, is an extremely bad idea because it encourages unsafe behavior with passwords. While theoretically it sounds like a great idea, it perversely encourages users to write passwords down - the last thing you want them to be doing - and just makes it all the more difficult for them to use your product. A better approach is to encourage or require users to have secure passwords in the first place, and to foster proper care for passwords.