Password Aging

Does anyone know of any guidelines on password aging. What is usually expected by the FDA. Our current system at our site has passwords changing every 30 days. The new corporate vendor wants to change it to 6 months.

I don’t know of any guidelines. I think what you have is pretty typical. I’ve seen a number of sites go to 15 days.

The whole concept of password expiration is a risk mitigation. The idea is that you limit the impact of impact of compromised passwords (uncontrolled access to the system) by requiring that a user change the password on a periodic basis. So worst case is that the system is compromised for the entire expiration period (less a few minutes). So in reality, that’s a fairly weak control in isolation from other controls.

Regulators expect that some risk assessment to justify the change frequency. In reality, as pointed out, in isolation, password expiration would need to be almost constant to mitigate risk. So it’s only a back-up control.

The first thing you need to do is to determine the risk of having the system compromised through compromised password protection. If there’s no risk then even changing it every 6 months may be too often. If lives could be lost if access is compromised, then 6 months is too infrequent (and maybe 30 days is, too!).

Once you establish the risk, then look at ALL the access controls. These could include:

  • requiring a ‘strong’ password (> 8 chars; contains alpha (upper AND lower case), numeric, and special chars)
  • cannot be re-used by same user (can’t reset the password to the same thing - with variations on that being can’t reuse ‘substantial’ parts
  • cannot include anything related to user ID or user name
  • frequency and effectiveness of monitoring (are all access requests coming in from known locations - how well would you detect if a hack was attempted)

With risk and other controls defined you can then set a reasonable expiration period.

Regulators generally look for some justification of parameters selected and then, if reasonable, generally agree. So if you can justify that a 6 month expiration would, in context with other controls, be sufficient, I think you can certainly consider it. If it’s just an arbitrary decision based on a pain threshold then it’s not justified.

I agree with almost of Yodon comment. Password aging per se is a very weak control and should be combined with other access cntrols, like password size and password re-utilization (like remember the last 3 passwords and prevent the user to re-utilize them). I would just like to add the following comment: by obligating the users to change the password very frequently you also enhance the risk of the users write down their passwords (for remembering) or try to “fool” the system and that is also a risk. You should should consider that when defining password expiration periods. I believe that 90 days (3 months) is a pretty decent period. But that is just a number. You must establish that period based on a documented risk assessment.