What is the ISO27001 view on password expiry ?

[Melonbwead]

I know this use to be enforced in the earlier version of ISO-27001, but i can't find anything on password expiry in here, maybe i haven't looked hard enought

[nelsonic]

Hi @ChennyBaBy, good question! (thank you for opening this issue!)

Sadly, the ISO27001-2013 doc https://trofisecurity.com/assets/img/iso27001-2013.pdf Has 3 instances of the word password and they are all in the same "control" (A.9.4.3):

"Password management systems shall be interactive and shall ensure quality passwords."

It does not mention passwords must be rotated ... 🙄

tl;dr: ISO27001-2013 Does Not Require Password Rotation

Typically most "Enterprise" (Corporate) environments require monthly password changes. But, as Bruce Schneier (who we highly respect) says in his 10^thOctober 2017 article "Changes in Password Best Practices": https://www.schneier.com/blog/archives/2017/10/changes_in_pass.html

2. "Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise."

From personal experience (working in "high security" environments) passwords are generally a "weak link", if "complexity" is required people either easily forget their password, or they use a predictable pattern like "word" + digits + punctuation. which when they are required to change their password, they simply increment the digits e.g: "Unicorns7$" >> "Unicorns8$" this satisfies the criteria/requirements:

• Length: at least 10 characters.
• Mixed case: at least 1 upper case character.
• Digits: at least 1 digit.
• Special characters: at least 1 special character.

As you can tell this is a very predictable pattern and is not especially "secure"...

A much better way of encouraging/enforcing security is:

• Educate users to use a "passphrase" not a "password" i.e. use several words that make up a phrase that is meaningful to them and they can easily remember: e.g:
  • "Bigbenisthebell1859!" (20 chars) a good passphrase for a "history buff" https://en.wikipedia.org/wiki/Big_Ben
  • "ChewbaccaisaWookiee1977." (24 chars) for someone keen on StarWars https://en.wikipedia.org/wiki/Wookiee
• Limit the number of "attempts" a person type an incorrect passphrase e.g: 10 tries.
• Remind people to never write down or share their passphrase.
• Make it fast and easy for people to reset their password if they forget it.
• Raise upper-limit on password length to 64 Chars to accommodate for Strong Passwords generated by a Password Manager like "Last Pass" or "1Password". see: https://www.grc.com/passwords.htm and

Source: https://xkcd.com/936

If you're curious I would recommend reading the discussion/answers on this thread: https://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security This is also a good article "Time to rethink mandatory password changes": https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

[Melonbwead]

Thank you so much for this amazing detailed reply!!!! ❤️

[Truck3r]

However ISO 27002 does specify rules for password expiry and rotation: Section 11.3.1 e) change passwords at regular intervals or based on the number of accesses (passwords for privileged accounts should be changed more frequently than normal passwords), and avoid re-using or cycling old passwords;

Since 27002 is often used as implementation guidelines for 27001 (as I understand it), you will likely run into password expiry and rotation in organisations that are 27001 certified. Unfortunately 😢