Password Reset Requirements

[duder]

Hello,

After seeing my 4th application/network password expire in as many days, it made me wonder what the quantitative trade-off/ benefit to having password lifetimes is. And if there is such a security benefit, why don't all password protected services require password lifetimes? Also, do people tend to pick "easier" or similar passwords if they know the password will expire in the near future? And if they do tend to pick "easier" or "guessable" passwords, how does this affect application security in relation to the expiration requirement?

Just curious if anyone has some thoughts on this issue, or even better - studies that document the trade-offs and quantitative benefits of these password requirements. I have a theory as to why only certain services/applications require password expiration mechanisms but I'll leave it out until I hear from some more informed opinions...

Thank you in advance.

[Aardpsymon]

Its about two things really, how good your users are and how secure your network needs to be.

Every time a password is changed any potential cracker has to start from scratch, unless a user has 3 same passwords that are rotated. Hence, having passwords expire reduces the chance of a brute force password crack and if a password is compromised in other ways the window it is compromised for is of course limited to the length of the expiry. So, assuming users generate secure passwords it DOES improve security. However, if your users are more along the lines of "average" users, or in our case 12, forcing password changes will probably just create more hassle in terms of forgotten passwords and even more worryingly passwords being written down.

Really secure systems involve giving people those timer card things (or arm implants if you believe "A Beautiful Mind" :P ) which generate a new PIN number every 5 minutes which has to be entered along with the password, again thwarting brute force attacks as well as stopping people who only have the password.

[duder]

Thanks for the reply Aardpsymon,

In theory, I can see how password expiration could thwart brute force attacks over time, but that assumes the passwords markedly change over time rather than the "recycling" that often occurs of appending numbers to old passwords. Once a password file is cracked offline, it would be evident which passwords are cyclical and which are not.

Furthermore, if expiring passwords add that much more value to application security, why do some of the most sensitive applications on the internet (online banking, paypal, ebay) not have expiring passwords?

I've done a bit of googling since first posting, but all I've found on the subject in regards to a quantitative study of the policy is this paper: http://www.smat.us/sanity/expharmful.html. Not exactly an industry or academic source however.

[morganlefay]

Most apps will only let you enter in the wrong password so many times before it is locked out...they also record the failured attempts...and with banks and such...I am sure they also log the IP address.

Security should be multi layered ....not just relying on username and password

There was a member on this site...Catch ..who sparked many a great debate on security on this

(I just did a search on the member list and he must have been removed in the recent site up date...)

Dont have time now..but will refine my searches later...and maybe come up with some good material for you.

remember ...........users and thier passwords are your weakest link...

if you make the passwords so complicated that they cant remember them...they will write it down...on stickies....stuck to the monitor..

true.....

I think the best security is the layered approach...firewalls, logging, passowrds, file security and application permissions etc.... regular patching and monitoring of the logs.....cause logs are no good if no one looks at them

Would be very dangerous to just be relying on passwords for as a security model.

My .02 cdn
MLF

[Aardpsymon]

well, banks use the whole "not entering your entire password" to log on. Again that is not too hard to beat, just log em a few different times you should get the whole number no problem. Heck, its a number which rather limits the possibilities anyway.

Top of the list over making passwords expire is making people pick decent passwords to start with. Hell, properly trained users should change their password without it expiring.