2

Wondering if there's any research behind the most common password reset cycle I've seen of 90-days, and if there's any research that gives any insight into how to optimize password resets to reduce password reuse.

blunders
  • 5,072
  • 4
  • 28
  • 45
  • Duh. I read your title and wrote my answer...then read the actual sentence you wrote. Sorry, guess I missed your intent. I should RTFP. ;) – 0xSheepdog May 15 '14 at 05:36

2 Answers2

5

The research shows that requiring time-based password changes increases re-use (users will use a password from another site, since they've already got it memorized, or will use a near-duplicate of their previous password), decreases password complexity, and increases the odds of the password getting written down somewhere.

The answers and papers in this related question would be a good starting point for further reading, for example, the introduction and conclusion of this one.

In short, if you want to minimize password re-use, don't require time-based password changes. The best way I've seen to encourage unique passwords is to provide the user with a randomly-generated password at account creation, rather than letting them specify a password.

Community
  • 1
Mark
  • 34,513
  • 9
  • 86
  • 135
1

I assume by "frequency of password resets" you mean password aging, that is "user must change password after X amount of time".

By itself, password aging has no impact whatsoever on password reuse. By definition, password aging simply says the user must choose a new password after a certain amount of time. The key parameters that cooperate with password aging to prevent password reuse are "password history" (how many previous passwords the system must keep track of for each account) and "minimum password age" (how long a user must wait after changing a password before they can change it again.

Here's why:
Say your system requires users to change their password every 180 days, has a password history of 6, but has no minimum password age.
This means if a user only changes passwords when the system requires him/her to, they can reuse their first password after 2.5 years (or 3 years, depends on how you count it.)

Without a minimum password age, a user could change his password, and then change it again 6 more times right away, and eventually go back to his first password.

A minimum password age policy makes this much harder. A minimum age of 24 hours means it takes a week to go through all those iterations and get back to the original password. Make the minimum age 7 days and now you are in the 1-2 month range.

0xSheepdog
  • 765
  • 5
  • 13
  • You seem to be arguing that password change requirements theoretically need not affect password reuse. If so, I believe you've missed the point of the question: in practice, do people tend to reuse passwords more if they have to generate passwords more often (because of change requirements)? – Jon of All Trades Feb 09 '16 at 23:46
  • Wow, a blast from the past! I barely remember this question. You may be right, I seem to have considered the question from a purely technical control perspective. If the Q was about typical users behavior and reaction to technical controls they are presented with, I think the answer would be vague and vary quite as much as user knowledge and experience does. Considering the vastly different types of users I support, I tend to consider things with the 'least common denominator' in mind while allowing for the informed types to breeze through. Probably not helpful at all, for this Q. – 0xSheepdog Feb 11 '16 at 17:06