QotW #1: How does changing your password every 90 days increase security?

2011-07-15 by . 2 comments

Post to Twitter

Question of the Week #1

How does changing your password every 90 days increase security? As selected by @HendrikBrummermann this has been one of our more popular posts, with discussion on the reasons for password expiration:

  • To mitigate the problems that would occur if an attacker acquired the password hashes of your system
  • It prevents people who use the same password for everything from getting your system compromised if their password is figured out somewhere else
  • Compliance reduces the risk of penalties of non-compliance (thanks @AviD)
  • By resetting password every X days we are telling the user – Hey, this is important and it should not be taken lightly

and Against password expiration:

  • Your password, and the attacker’s guess at your password, are independent. The probability that the attacker’s next guess is correct is the same even if you change your password first.
  • Nothing encourages passwords on post-its quite like frequent expiration, especially if there are also high complexity requirements
  • It annoys users
  • They end up having to work out a new password – which research shows is often is derived from the previous one in a way that is very easy to crack nearly half the time
  • You can expect additional support costs to cover users who have forgotten

How to balance the pluses and minuses depends on your organisation’s risk profile and other requirements.

An alternative to password expirations is requiring stronger passwords, and we have questions and research on that also.

The associated question – Why do sites implement locking after 3 failed attempts – details another aspect of the defence against brute forcing, and discusses why 3 may or may not be a suitable number.

These questions, answers and commentary are well worth a read if you are trying to set a password expiry policy in your own organisation, or want some background as to the risks.

Filed under Password


Subscribe to comments with RSS.

  • MikeInOmaha says:

    While they’re all valiant tries, the list of reasons “FOR” is missing it entirely. The sole reason behind the 60/90 day rule is to reduce exposure if a p/w is compromised unknowingly. Once the p/w changes, the intruder will lose their access by way of those credentials at minimum.

  • Havenless says:

    If you’re compromised, important people will want to know why you didn’t follow “industry standard practice”.

    It’s industry standard practice because everyone follows it.

    Everyone follows it because it’s industry standard practice.