9

Possible Duplicate:
How does changing your password every 90 days increase security?

What are best practices for password expiration policies?

There are some questions that already address this issue:

But they seem to be very heavy on anecdotal evidence, and very light on definitive answers.

The general list of arguments for and against password expiration policies seems to boil down to (as listed in the relevant IT Security Blog post):

Expiration pros:

  • To mitigate the problems that would occur if an attacker acquired the password hashes of your system
  • It prevents people who use the same password for everything from getting your system compromised if their password is figured out somewhere else
  • Compliance reduces the risk of penalties of non-compliance (thanks @AviD)
  • By resetting password every X days we are telling the user – Hey, this is important and it should not be taken lightly

Expiration cons:

  • Your password, and the attacker’s guess at your password, are independent. The probability that the attacker’s next guess is correct is the same even if you change your password first.
  • Nothing encourages passwords on post-its quite like frequent expiration, especially if there are also high complexity requirements
  • It annoys users
  • They end up having to work out a new password – which research shows is often is derived from the previous one in a way that is very easy to crack nearly half the time
  • You can expect additional support costs to cover users who have forgotten

These lists make good sense, and are excellent conversation fodder among IT professionals. But where do the pros and cons meet in the middle as a "best practice?"

I am interested in the conclusions from studies on the topic, as opposed to personal opinion and anecdotes.

Community
  • 1
Flimzy
  • 677
  • 1
  • 6
  • 14
  • 2
    I'd like to see an analysis that identifies and tries to weigh up the competing factors. It takes time to learn new passwords and if users struggle, they will use notes. But the changes limit exposure time to compromised passwords. What is the balance. Is it more important to insist on strong passwords than to change frequently? –  May 17 '12 at 22:51
  • The answer there explains some reasons that go against your 'obvious reason'. Have you tried asking for actual studies there? –  May 17 '12 at 23:26
  • @DJClayworth: No, I have not. This seems like the more appropriate site for the type of answer I am seeking. If the community decides the question is off-topic (I don't know why it should be), I can go there as back up. –  May 17 '12 at 23:28
  • I am inclined to agree with DJClayworth on the redundancy of the question. Asking IT Security folks to back up claims shouldn't be too hard. – Larian LeQuella May 18 '12 at 01:43
  • @LarianLeQuella: My understanding is that the official SE policy is that overlap is okay. See relevant discussion on another SE site [here](http://meta.movies.stackexchange.com/a/404/22). That said, I am willing to ask on the IT security site, but I don't think this question should be closed just becuase of overlap. –  May 18 '12 at 02:00
  • If we closed every question on this site that _could_ be asked on another site, 3 of 11 of the questions on the front page (not counting those already closed, or this one) would be closed. –  May 18 '12 at 02:06
  • @flimzy: I don't think there's much doubt that this question is more appropriate for security. It is perfectly reasonable to ask for referenced answers anywhere in the SE network. The bottom line is that your question needs the attention of someone that can explain when it's appropriate to use this tool and when it's not. I will migrate to security if you don't mind... – Sklivvz May 18 '12 at 08:26
  • Expert, research-level questions should be asked on the respective sites and not here [FAQ] – Sklivvz May 18 '12 at 08:32
  • How strong of an answer do you want? Respected computer security experts are generally in agreement that rapid password changes (i.e. generally every 90 days or less) are bad, but I can't recall off the top of my head if this was formalized into studies and how those studies were structured. –  May 18 '12 at 10:43
  • 1
    http://www.emc.com/security/rsa-securid.htm (this password actually changes *every minute*). – Sklivvz May 18 '12 at 10:53
  • @Sklivvz: Very well. –  May 18 '12 at 16:08
  • @HendrikBrummermann: I asked this question on Skeptics precisely because the "dupe" question did not go into sufficient authoritative detail, but was mostly anecdote. I have edited the question to make it, hopefully, more appropriate for an IT-Security audience. Is it possible to have this reopened? – Flimzy May 18 '12 at 16:29
  • 1
    I am not sure what you mean with "authoritative detail". There are research papers linked in the answers. We do not have control over what questions are migrated to our site. I don't see a substantial difference between the original question and your question. Therefore it is unlikely that you will get different answers on this questions. – Hendrik Brummermann May 18 '12 at 16:34
  • 1
    @HendrikBrummermann: The questions are fundamentally different. The older one asks how password rotation improves security--which is only one side of the coin, and is, in effect, asking for anecdotal evidence. Mine asks for best practices. Undeniably there is overlap, but I believe they are fundamentally different. – Flimzy May 18 '12 at 16:43
  • 1
    @HendrikBrummermann: There are two studies I can find linked in answers on the other question. One specifically about website passwords (relevant, but not comprehensive), and the other on whether rotation improves security against dictionary-type attacks. Both are useful, but neither points to a general best-practice. – Flimzy May 18 '12 at 16:45
  • 1
    @HendrikBrummermann: Re "We do not have control over what questions are migrated." RoryAlsop asked Slivvz to migrate it in the teacher's lounge. :) – Flimzy May 18 '12 at 19:59
  • @Flimzy more specifically I've asked Rory if it was OK to migrate :-) – Sklivvz May 18 '12 at 20:25

0 Answers0