[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

Clark Gaylord cgaylord at vt.edu
Sun May 6 05:39:32 GMT 2007

I've always wanted to see someone study this too, like any other risk 
quantification. It is dauntingly difficult.

One of the most important pieces of infosec folklore: when in doubt, 
Spaf is probably right.

On difficulty: we know that people will do stupid things with passwords 
if we make them both a) difficult to remember and b) change frequently. 
But how do you expect to really quantify all the possible scenarios and 
risk factors associated with the known poor practice that inevitably ensue?


H. Morrow Long wrote:
> Anyone have a citation for an academic research study on whether 
> mandatory password expiration and changes increase security?
> Any stats or numbers quantifying how much and in what ways requiring 
> password changing increases security?
> I know all of the rationale (and I believe in it ) behind it but we 
> need #s (and a paper from a peer-reviewed journal):
> 1. It automatically disables old unused accounts (which should have 
> been disabled already).
> 2. It limits the amount of time accounts may be compromised
> 3. Combined with increased quality checks it improves password strength.
> 4. If users are using the same password for their University account 
> as on outside web accounts this can
> force a split/break since they probably won't go sync their passwords 
> on all of their websites.
> I've looked around and found a number of arguments (pro and con) on 
> requiring password changing.
> some of the most interesting at entertaining are on "Spaf"s" blog 
> where he makes a case against  it :
>  http://www.cerias.purdue.edu/weblogs/spaf/general/post-30/ 
> I also found an entire site dedicated to articles and studies/surveys 
> on passwords (www.passwordresearch.com 
> <http://www.passwordresearch.com/>/)
> as well as a report on passwords 
> at http://www.csoonline.com/csoresearch/report64.html but
> all of the reports and surveys are from industry rather than academia.
> - H. Morrow Long, CISSP, CISM, CEH
>   University Information Security Officer
>   Director -- Information Security Office
>   Yale University, ITS
> ------------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070506/ee799382/attachment.htm 

More information about the unisog mailing list