15

I'm asking two very related questions

  1. As an admin what policies should be enforced regarding the frequency of password changing? I have an idea that users should be forced to change their password after a certain amount of time but a certain amount of login attempts. For example if 30 incorrect passwords were entered the next time the user logs in they must change their password.
  2. For situations where I'm not the admin and there is no password expiry how often should I changed the password? For example my cellphone provider doesn't require me to change the password and I haven't for over a year, though the password is quite complex.
Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Celeritas
  • 10,089
  • 22
  • 79
  • 144
  • I had assumed that the logic behind enforced password changes was to reduce risk against a password being used across multiple sites, and being compromised elsewhere. At one extreme, forcing daily password changes would make it essentially impossible for a user to be using the same password elsewhere. – Steve Bennett Jan 31 '14 at 00:03
  • See also [How does changing your password every 90 days increase security?](http://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security) – Gilles 'SO- stop being evil' Aug 10 '14 at 13:37

3 Answers3

14

The brute force attack can be described as such: the attacker tries a lot of random potential passwords, until the right one is found. Forcing a password change for the user, i.e. changing from one potential password to another, does not substantially lower the success rate of the attacker (indeed, it changes anything only if the spaceof possible passwords is so small that the attacker can explore it exaustively -- and this means that you have a bigger problem, which is that your users choose very weak passwords). It is a widespread, but wrong belief that password changes somehow "restore security".

What may make sense is to disable accounts which are the target of a brute force attack, indicated by a lot of failed attempts. But this kind of locking feature can backfire: it allows anybody to lock the account of anybody else, which can turn into a big helpdesk problem.

Correspondingly, there is no need for you to change your cellphone provider password because it is old. Change your password if it is weak, but weakness does not grow over time; it is there right from day 1.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • `brute force attack [...] the attacker tries a lot of random potential passwords` - I thought bruteforcing a password means try every single possible password until the right one is found, which is not at all random, instead its very systematically? – toogley May 06 '16 at 08:54
7
  1. When your users are humans, forcing regular password changes doesn't necessarily increase security.
    See the FTC post "Time to rethink mandatory password changes" by Chief Technologist Lorrie Cranor, based on research about how humans actually use these systems. (Washington Post coverage here.)
  2. When you are the user, you should change your password more frequently than the expected mean frequency of when the password is compromised by a hack on the data store or any other method by which someone might obtain your password. This is a longer time (lower frequency) if your passwords are unique than if you reuse passwords (because there's a wider variety of ways a frequently reused password might be compromised). If you have any special reason to believe that a password has been recently compromised, that's a good time to change it too; otherwise you're relying on your own estimates of the security of that access control.
WBT
  • 556
  • 1
  • 7
  • 14
  • Since you are answering an old post, i guess i should throw in my 2 cents. Another reason I would say to enable a password expiration policy is to make sure the password stays unique for a period of time. It's not constantly unique, but people have a bad habit of using the same password in multiple places. This leads to a security issue, where another website is hacked and their password is in the hands of someone else. Just a thought at least. – dakre18 Mar 03 '16 at 22:34
  • Ensuring the password stays unique also means it's hard to remember. Making passwords hard to remember forces people to write it down. Therefore, everyone who forces password changes is actively **harming** security. – Gloweye Jul 04 '19 at 07:33
4

I have to disagree with Tom on "there is no need to change your password because it is old...".

In and of itself, that is reasonably true, however the pragmatics of real life interfere with theory and make that not so true. Since we are oftentimes asked to enter our passwords in many different environments and places - some of which we do not always control, it is my opinion that having good password changing schedules is a policy that should be in place and is a peer policy to strength.

There is too much of a possibility for 1 time a password is entered in a compromised environment and it is captured, or (as I often see it), an admin is given (for a momentary purpose, but they keep it around) a password to accomplish a task while someone is travelling... or some other reason like that. Without password change schedules in effect, you have no way of re-baselining the risk associated with these spurious and random events.

Tek Tengu
  • 1,699
  • 11
  • 13