tags:

views:

72

answers:

5
+1  Q: 

In application security, should users be required to change passwords on a schedule?

I do not require passwords to be changed on a schedule in my application for a simple reason: it makes remembering passwords harder and is thus more likely to lead people to write them down somewhere or otherwise use an unsafe memory aid.

What arguments are there to the contrary? Why would forcing someone to change a password that no one else knows make it more secure?

Note: since this is open to opinion and debate, I'm marking it as a community wiki. It is, however, centrally a technology concern so I think it reasonable to post here.

+3  A: 

How do you know no-one else knows it? The risk is not so much when you realise someone else knows your password, its when you assume no one else knows it, but they do.

The principle is that it limits the exposure period if a password is compromised.

If that compromised password can float around for ever, then the systme is compromised for ever.

By forcing password changes every 30/90 days, to a password that hasn't been used before, you are ensuring that if a password is compromised, it will be secure again no later than that period.

That being said - I hate it when I have to change my password after 30 days, and even when it was increased to 90 days still hated it.

Michael Shimmins  2010-03-05 02:14:46
@shimms - that final comment is half my impulse. You are probably right with respect to many, many passwords. However, I do use complex passwords, maintain complete secrecy and take no risks with respect to security. But I guess the point is that I cannot expect everyone to act as I do and so I should implement a password expire to eventually "resecure" the information in peoples' accounts.
Mark Brittingham  2010-03-05 04:38:53
+2  A: 

If it takes my password-guessing program 90 days to figure out one of your passwords, you probably want to make sure that your users change them at least once every 90 days.

Gabe  2010-03-05 02:53:09
How do you know that the password to which they change won't be next up in your program? Now, if you could always change it on day 89...
Mark Brittingham  2010-03-05 04:35:19
If someone gained access to your system through someones' password it guarantees that they will eventually lose that access via next password change.
Glorphindale  2010-03-05 04:52:10
+1  A: 

To tighten the security of your system there should be a couple of other settings. For example how strong password should be (alphanumerical, both cases, special symbols) or that new password should not be identical to 2(3,4,n) previous passwords.

Glorphindale  2010-03-05 04:49:58
@Glorphindale - thanks. We do implement those controls. It was just password forcing that I question.
Mark Brittingham  2010-03-05 12:52:30
+1  A: 

If you had the money, you could go for a two-factor solution such as a SecureID, then your weakness of long password life is mostly mitigated against. If SecureID is too costly of a solution, there is also YubiKey, which has several client libraries in various languages to assist in integrating into your applications.

Though to answer your question directly, from a business point of view, the best reason to force users to periodically change passwords is to comply with any appropriate legislation, regulations, contractual obligations, etc.. e.g. PCI Data Security Standard for those involved with credit cards. The financial implications of not following their requirements can devastate a company.

Mike  2010-03-05 10:26:32
+1  A: 

The answer to your question depends on the sensitivity of the information your application contains. The more sensitive, the higher the security level you should provide.

Obviously, more security usually leads to a decrease in usability. You and your client need to balance the factors and then look for a technical solution.

Hans Westerbeek  2010-03-05 10:35:14

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security