Password Reset Requirements
Results 1 to 5 of 5

Thread: Password Reset Requirements

  1. #1
    Junior Member
    Join Date
    Mar 2007
    Posts
    2

    Password Reset Requirements

    Hello,

    After seeing my 4th application/network password expire in as many days, it made me wonder what the quantitative trade-off/ benefit to having password lifetimes is. And if there is such a security benefit, why don't all password protected services require password lifetimes? Also, do people tend to pick "easier" or similar passwords if they know the password will expire in the near future? And if they do tend to pick "easier" or "guessable" passwords, how does this affect application security in relation to the expiration requirement?

    Just curious if anyone has some thoughts on this issue, or even better - studies that document the trade-offs and quantitative benefits of these password requirements. I have a theory as to why only certain services/applications require password expiration mechanisms but I'll leave it out until I hear from some more informed opinions...

    Thank you in advance.

  2. #2
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    Its about two things really, how good your users are and how secure your network needs to be.

    Every time a password is changed any potential cracker has to start from scratch, unless a user has 3 same passwords that are rotated. Hence, having passwords expire reduces the chance of a brute force password crack and if a password is compromised in other ways the window it is compromised for is of course limited to the length of the expiry. So, assuming users generate secure passwords it DOES improve security. However, if your users are more along the lines of "average" users, or in our case 12, forcing password changes will probably just create more hassle in terms of forgotten passwords and even more worryingly passwords being written down.

    Really secure systems involve giving people those timer card things (or arm implants if you believe "A Beautiful Mind" :P ) which generate a new PIN number every 5 minutes which has to be entered along with the password, again thwarting brute force attacks as well as stopping people who only have the password.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  3. #3
    Junior Member
    Join Date
    Mar 2007
    Posts
    2
    Thanks for the reply Aardpsymon,

    In theory, I can see how password expiration could thwart brute force attacks over time, but that assumes the passwords markedly change over time rather than the "recycling" that often occurs of appending numbers to old passwords. Once a password file is cracked offline, it would be evident which passwords are cyclical and which are not.

    Furthermore, if expiring passwords add that much more value to application security, why do some of the most sensitive applications on the internet (online banking, paypal, ebay) not have expiring passwords?

    I've done a bit of googling since first posting, but all I've found on the subject in regards to a quantitative study of the policy is this paper: http://www.smat.us/sanity/expharmful.html. Not exactly an industry or academic source however.

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Most apps will only let you enter in the wrong password so many times before it is locked out...they also record the failured attempts...and with banks and such...I am sure they also log the IP address.

    Security should be multi layered ....not just relying on username and password

    There was a member on this site...Catch ..who sparked many a great debate on security on this

    (I just did a search on the member list and he must have been removed in the recent site up date...)

    Dont have time now..but will refine my searches later...and maybe come up with some good material for you.

    remember ...........users and thier passwords are your weakest link...

    if you make the passwords so complicated that they cant remember them...they will write it down...on stickies....stuck to the monitor..

    true.....

    I think the best security is the layered approach...firewalls, logging, passowrds, file security and application permissions etc.... regular patching and monitoring of the logs.....cause logs are no good if no one looks at them

    Would be very dangerous to just be relying on passwords for as a security model.

    My .02 cdn
    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    well, banks use the whole "not entering your entire password" to log on. Again that is not too hard to beat, just log em a few different times you should get the whole number no problem. Heck, its a number which rather limits the possibilities anyway.

    Top of the list over making passwords expire is making people pick decent passwords to start with. Hell, properly trained users should change their password without it expiring.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Secure Passwords Tutorial
    By NeonWizard in forum The Security Tutorials Forum
    Replies: 5
    Last Post: August 13th, 2004, 07:54 PM
  3. Windows XP Tips
    By Nokia in forum Tips and Tricks
    Replies: 4
    Last Post: June 18th, 2004, 05:24 PM
  4. Good Password: Common Practices
    By jdenny in forum The Security Tutorials Forum
    Replies: 7
    Last Post: August 30th, 2002, 05:34 PM
  5. Securing Your Windows PC
    By E5C4P3 in forum The Security Tutorials Forum
    Replies: 10
    Last Post: June 12th, 2002, 05:54 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •