[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?
Saul.Tannenbaum at tufts.edu
Mon May 7 15:42:17 GMT 2007
H. Morrow Long wrote:
> Anyone have a citation for an academic research study on whether
> mandatory password expiration and changes increase security?
> Any stats or numbers quantifying how much and in what ways requiring
> password changing increases security?
While it isn't peer reviewed, the National Institute of Standards
and Technology have a paper on "Electronic Authentication
Guidelines" that includes, in Appendix A, an attempt to
provide some empirical guidelines for password entropy,
and a framework in which to tradeoff password length,
rules, and number of password guesses an attacker
can attempt. Password changes do limit the number
of guesses, if one assumes a scenario of a relatively
slow password guessing attack.
This paper can be found at:
It's currently in revision, with a new version to be out
shortly. One of the authors presented at the Internet 2
meeting, and the archived Powerpoint can be found at:
The Federal Eauthentication effort has an entropy spreadsheet
that can be found at:
along with other documentation.
>From all this, you could put your credential profile into
the spreadsheet and vary the expiration policy and see
what your exposure is.
Out of curiosity, I scanned the bibliographies of this work,
and couldn't find any academic papers cited.
Saul Tannenbaum, Associate Director, |"Every year, I get more and
University Systems, | more cynical, but somehow I
University Information Technology | just can't keep up."
Tufts University | - Lily Tomlin
More information about the unisog