[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?
H. Morrow Long
morrow.long at yale.edu
Sat May 5 17:31:49 GMT 2007
Anyone have a citation for an academic research study on whether
mandatory password expiration and changes increase security?
Any stats or numbers quantifying how much and in what ways requiring
password changing increases security?
I know all of the rationale (and I believe in it ) behind it but we
need #s (and a paper from a peer-reviewed journal):
1. It automatically disables old unused accounts (which should have
been disabled already).
2. It limits the amount of time accounts may be compromised
3. Combined with increased quality checks it improves password
4. If users are using the same password for their University account
as on outside web accounts this can
force a split/break since they probably won't go sync their
passwords on all of their websites.
I've looked around and found a number of arguments (pro and con) on
requiring password changing.
some of the most interesting at entertaining are on "Spaf"s" blog
where he makes a case against it :
I also found an entire site dedicated to articles and studies/surveys
on passwords (www.passwordresearch.com/)
as well as a report on passwords at http://www.csoonline.com/
all of the reports and surveys are from industry rather than academia.
- H. Morrow Long, CISSP, CISM, CEH
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the unisog