[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

Michael Holstein michael.holstein at csuohio.edu
Mon May 7 12:50:28 GMT 2007


Drat .. fat-fingered it.

What I ment was ..

c0mplexpa$$w0rd1
c0mplexpa$$w0rd2
c0mplexpa$$w0rd3

(and this says nothing of the many times we've all been into somebody's 
office and seen the password on a post-it attached to the monitor).

2-factor auth you say? .. The same thing will happen with smartcards .. 
we'll see them in the desk drawer, post-it attached.

That said, forcing changes does at least reduce the window that a 
potential attacker has to brute-force the hashed password .. but then 
again, I'm sure most of you have tried L0phtcrack against a domain and 
watched as like >80% are found in under a day.

My $0.02

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University

Michael Holstein wrote:
>> Anyone have a citation for an academic research study on whether 
>> mandatory password expiration and changes increase security?
> 
> The main problem with this is (as always) the human element.
> 
> People will choose a sufficiently complex password to satisfy your 
> filter, and then just get annoyed at changing it. eg:
> 
> c0mplexpa$$w0rd
> 
> (and then)
> 
> c0mplexpa$$w0rd
> c0mplexpa$$w0rd
> c0mplexpa$$w0rd
> 


More information about the unisog mailing list