[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

Gary Dobbins dobbins at nd.edu
Sun May 6 18:52:24 GMT 2007

Consider that most studies and lore tend to focus on the relative
strengths of the passwords themselves (i.e. how long it would take to
crack one).  But, if we consider the threats you're actually trying to
counteract, such as users' tendency to share passwords with others, or
use them on third party sites, then the math becomes less important.


You probably aren't trying to counteract someone getting a copy of
your KDC database, or pounding a brute-force against a login prompt
for weeks on end, because there are easier ways to deal with those and
you've probably already fortified them.


It's probably the case that you're just trying to counteract users'
human nature, which calls for mechanisms which help maintain the
secrecy of their passwords over time.  Periodic changes may be
annoying, but if you also help them with mnemonic ideas, you'll be
helping users keep their passwords a personal secret ongoing - your
true objective I'm supposing.



From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of H. Morrow Long
Sent: Saturday, May 05, 2007 1:32 PM
To: security at educause.edu
Cc: UNIversity Security Operations Group
Subject: [unisog] Anyone have a citation for an academic research
study on whether mandatory password changes increase security?


Anyone have a citation for an academic research study on whether
mandatory password expiration and changes increase security?


Any stats or numbers quantifying how much and in what ways requiring
password changing increases security?


I know all of the rationale (and I believe in it ) behind it but we
need #s (and a paper from a peer-reviewed journal):

          1.         It automatically disables old unused accounts
(which should have been disabled already).

          2.         It limits the amount of time accounts may be

          3.         Combined with increased quality checks it
improves password strength.

          4.         If users are using the same password for their
University account as on outside web accounts this can

                      force a split/break since they probably won't go
sync their passwords on all of their websites.


I've looked around and found a number of arguments (pro and con) on
requiring password changing.

some of the most interesting at entertaining are on "Spaf"s" blog
where he makes a case against  it :




I also found an entire site dedicated to articles and studies/surveys
on passwords ( <http://www.passwordresearch.com/>

as well as a report on passwords at
http://www.csoonline.com/csoresearch/report64.html but

all of the reports and surveys are from industry rather than academia.


- H. Morrow Long, CISSP, CISM, CEH

  University Information Security Officer

  Director -- Information Security Office

  Yale University, ITS



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070506/5fa104b8/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 1094 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070506/5fa104b8/attachment.bin 

More information about the unisog mailing list