I'm looking for studies on the security effect of frequent password changes, looking at the security benefits / problems from having a mandatory password change every one or two months or similar.
Does anyone know of any?
+3
A:
I don't know of any studies that exist, but to get you thinking about both sides of the issue, here's a paper against forcing password changes:
Managing network security — Part 10: Change your password
And an instructional site for an educational institute that makes at least a somewhat compelling case (Written by a Ph.D.) for forcing users to change their passwords frequently. These are the main arguments the site gives FOR forcing password changes, after the link to the page:
"Why Do I Have to Change My !@$%#* Password?"
- If you're required to change your password at least every six months, someone who's hacked your password and has been accessing your account without your knowledge will immediately be shut out once your password is changed. Some may think this is an uncommon scenario, but people commonly sell an old computer and forget to erase passwords they may have saved for dialing in or for accessing their email.
- If you change your password at least every six months, hackers who may be trying to crack your password using brute force (as described above) basically need to start over because your password may now have been changed to some pattern they've already tried and rejected.
- Forcing a password change also discourages users from using the same password on multiple accounts. (Using the same password on multiple accounts is bad because then your password is only as secure as the least secure of the systems sharing that common password, and if your account does get compromised, the bad guy suddenly has access not just to one account, but to multiple accounts, magnifying the scope of the problem).
As far as "research" goes, these might not cut it, but seem to be at least a good introduction to both sides of the argument.
Brett Bender
2009-04-20 08:11:35
+4
A:
Here is a research article on password policy. It mentions the frequency at which people should change their passwords and some other really interesting stuff. Below is an extract.
Some experts say that periodic password changes will reduce the damage if an attacker intercepts a password: once the password is changed, the attacker is locked out. This assumes that the recovered password will not give the attacker any hints about the victim's current password. In fact, periodic password changes tend to encourage people to design sequences of passwords, like secret01a, secret01b, secret01c, and so on.
This allows users to easily choose and remember a new password when the old one expires. Such sequences are usually pretty obvious to an attacker, so any one of the victim's old passwords will probably provide the attacker with a reasonably small number of passwords to guess at.
Sam152
2009-04-20 08:11:50
Thank you, just what I was looking for :)
henriksen
2009-04-22 22:05:45
+2
A:
In my opinion, forcing people to change their password too often, reduces security because the only way people can remember so many passwords, is to start using stupid passwords like Computer123 or January1 followed by February1 etc...
A better idea is to reduce the frequency and then train people how to create strong passwords.
Gineer
2009-04-20 08:12:19
+3
A:
It's not a study, but Gene Spafford posted a short article that discusses the reasons why a policy of frequent password changes doesn't make much sense:
Michael Burr
2009-04-20 08:18:41
+4
A:
The TechReport Do Strong Web Passwords Accomplish Anything? states “changing the password frequently helps only if the attacker is extremely slow to exploit the harvested credentials.”
Gumbo
2009-04-20 08:29:01
+3
A:
While not exactly the study you're looking for, it is closely related and might push you in the right direction. I have seen a few studies on the specific topic you're looking for, but can't find the references just yet.
Microsoft Security Guru advice: "Write down your password"
There are a number of bad things that can happen with passwords, and want to mitigate as many as possible without creating new problems. The "change your password" policy is there to mitigate the damage over time that could be caused if your password gets out, by limiting the window of opportunity for an attacker. While not the end-all of security measures, it can sometimes make a huge difference. As a security consultant, I have personally made (this year alone) many tens of thousands of dollars cleaning up messes that could have been avoided entirely if the company had changed important passwords at least yearly.
The danger of changing your password frequently is that you'll pick poor passwords. This makes the situation even worse, because it now allows attacks that would have otherwise not been possible.
The new wisdom, as mentioned in the linked article, is pick (or be assigned) a random password, possibly changed on a regular basis, and write it down somewhere that you keep safe. Obviously you don't leave it with your computer any more than you would leave you keys with your car. The justification is that people are already trained to know how to secure "things" but are naturally poor at securing information. So if you turn the password into a thing you can hold, then you can just secure it the same way you secure your keys. In practice, this works very well, however it tends to make IT departments nervous.
tylerl
2009-04-20 08:36:33
Interesting link! Thanks! Changing passwords yearly, that's one thing, but with "frequent" I was thinking about monthly and bi-monthly mandatory changes.
henriksen
2009-04-22 21:58:57