[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

H. Morrow Long morrow.long at yale.edu
Sat May 5 17:31:49 GMT 2007

Anyone have a citation for an academic research study on whether  
mandatory password expiration and changes increase security?

Any stats or numbers quantifying how much and in what ways requiring  
password changing increases security?

I know all of the rationale (and I believe in it ) behind it but we  
need #s (and a paper from a peer-reviewed journal):
	1.	It automatically disables old unused accounts (which should have  
been disabled already).
	2.	It limits the amount of time accounts may be compromised
	3.	Combined with increased quality checks it improves password  
	4.	If users are using the same password for their University account  
as on outside web accounts this can
		force a split/break since they probably won't go sync their  
passwords on all of their websites.

I've looked around and found a number of arguments (pro and con) on  
requiring password changing.
some of the most interesting at entertaining are on "Spaf"s" blog  
where he makes a case against  it :


I also found an entire site dedicated to articles and studies/surveys  
on passwords (www.passwordresearch.com/)
as well as a report on passwords at http://www.csoonline.com/ 
csoresearch/report64.html but
all of the reports and surveys are from industry rather than academia.

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070505/3ac8671d/attachment.htm 

More information about the unisog mailing list