[unisog] Anyone have a citation for an academic research study on whether mandatory password changes increase security?

Saul Tannenbaum Saul.Tannenbaum at tufts.edu
Mon May 7 15:42:17 GMT 2007

H. Morrow Long wrote:
> Anyone have a citation for an academic research study on whether 
> mandatory password expiration and changes increase security?
> Any stats or numbers quantifying how much and in what ways requiring 
> password changing increases security?

While it isn't peer reviewed, the National Institute of Standards
and Technology have a paper on "Electronic Authentication
Guidelines" that includes, in Appendix A, an attempt to 
provide some empirical guidelines for password entropy,
and a framework in which to tradeoff password length,
rules, and number of password guesses an attacker
can attempt. Password changes do limit the number
of guesses, if one assumes a scenario of a relatively
slow password guessing attack.

This paper can be found at: 


It's currently in revision, with a new version to be out
shortly. One of the authors presented at the Internet 2
meeting, and the archived Powerpoint can be found at:


The Federal Eauthentication effort has an entropy spreadsheet
that can be found at:


along with other documentation.

>From all this, you could put your credential profile into
the spreadsheet and vary the expiration policy and see
what your exposure is.

Out of curiosity, I scanned the bibliographies of this work, 
and couldn't find any academic papers cited.

	- Saul

Saul Tannenbaum, Associate Director,  |"Every year, I get more and
    University Systems,               | more cynical, but somehow I
    University Information Technology | just can't keep up."
    Tufts University                  |          - Lily Tomlin

More information about the unisog mailing list