0

According to

http://www.csoonline.com/article/3195181/data-protection/vendors-approve-of-nist-password-draft.html

"There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security..."

I would like to see some of these studies and would appreciate references.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Thomas
  • 3,861
  • 4
  • 22
  • 26
  • 1
    Per would likely have studies: https://blog.keepersecurity.com/2016/11/16/keeper-qa-password-tips-with-passwordscon-founder-per-thorsheim/ I'll try to dig some out. – schroeder May 18 '17 at 16:15
  • Most of the time when I ask people in the office whether their passwords are ending with an increasing number, they are maintaining a guilty silence. Of course it is good to have official studies, but you can also just look around. – martinstoeckli May 18 '17 at 16:15
  • Thomas, you'll find links to the only studies on password expiration, that I'm aware of, in the 'possible duplicate' linked answers. There are also a few less formal studies like https://isc.sans.org/forums/diary/Password+History+Insights+Shared+by+a+Reader/22278/ – PwdRsch May 18 '17 at 17:12

1 Answers1

0

There was a healthy debate a couple of years back here, I hope it's stickied. Lets see: How does changing your password every 90 days increase security? was where we had this.

The NIST itself gathers feedback from industry, government agencies (most specifically: the intelligence community) and provides guidelines to government as to how to secure their systems against nations stealing them. I realize that's an appeal to authority and not a reference, but hopefully it helps provide context for the NIST.

Ori
  • 2,757
  • 1
  • 15
  • 29