[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

Saul Tannenbaum Saul.Tannenbaum at tufts.edu
Mon May 7 15:42:17 GMT 2007


H. Morrow Long wrote:
> Anyone have a citation for an academic research study on whether 
> mandatory password expiration and changes increase security?
> 
> Any stats or numbers quantifying how much and in what ways requiring 
> password changing increases security?


While it isn't peer reviewed, the National Institute of Standards
and Technology have a paper on "Electronic Authentication
Guidelines" that includes, in Appendix A, an attempt to 
provide some empirical guidelines for password entropy,
and a framework in which to tradeoff password length,
rules, and number of password guesses an attacker
can attempt. Password changes do limit the number
of guesses, if one assumes a scenario of a relatively
slow password guessing attack.

This paper can be found at: 

http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf

It's currently in revision, with a new version to be out
shortly. One of the authors presented at the Internet 2
meeting, and the archived Powerpoint can be found at:

http://events.internet2.edu/2007/spring-mm/sessionDetails.cfm?session=3181&event=267

The Federal Eauthentication effort has an entropy spreadsheet
that can be found at:

http://www.cio.gov/eauthentication/CredSuite.htm

along with other documentation.

>From all this, you could put your credential profile into
the spreadsheet and vary the expiration policy and see
what your exposure is.

Out of curiosity, I scanned the bibliographies of this work, 
and couldn't find any academic papers cited.

	- Saul


-- 
Saul Tannenbaum, Associate Director,  |"Every year, I get more and
    University Systems,               | more cynical, but somehow I
    University Information Technology | just can't keep up."
    Tufts University                  |          - Lily Tomlin



More information about the unisog mailing list