0

This question is quite basic, but it bugs me and I'm sure it bugs a lot of other people as well.

What is the real security benefit to forcing users to change their password say every 60 days or every 90 days?

Benefits

  • Compromised credentials are useless after a short period of time.

Drawbacks

  • User resorts to easily remembered password increment schemes—password1, password2, passwordN.
  • User is forced to expose passwords on other mediums to recall them—post-it note, other devices, etc.
  • User has to reference exposed passwords increasing vectors for attack, as compared to a recalled-from-memory password.

It seems there are more drawbacks than benefits, so why is this security practice so prevalent?

Update from FTC article which shares some of my concerns:

The Carleton researchers also point out that an attacker who already knows a user’s password is unlikely to be thwarted by a password change. As the UNC researchers demonstrated, once an attacker knows a password, they are often able to guess the user’s next password fairly easily. In addition, an attacker who has gained access to a user’s account once may be able to install a key logger or other malware that will allow them to continue to access the system, even if the user changes their password.

Similarly, they share the same hypothesis.

While we don’t yet have a controlled study demonstrating the impact of password expiration policies on user behavior, there is quite a bit of evidence to suggest that these policies may be counterproductive.

Link: Time to rethink mandatory password changes

James
  • 545
  • 2
  • 5
  • 8

2 Answers2

3

Supposing that the hashing function was correctly selected, it should take more than 60 days to crack a password that follows correctly selected password policies.

Therefore, if a malicious actor has permanent read access to your credentials database, since they would only have access to hashes, and since the hashes would change before a password would be cracked, the passwords would still be safe.

niilzon
  • 1,587
  • 2
  • 10
  • 17
1

The only benefit is that the window of use far a stolen credential is at most the time period that the credential is valid. so even slow attacks will have little to no window of opportunity to work. This is at most useful for high security setups / users with elevated permissions (e.a. admins) as you clearly specify it can actually lower the security for many users due to poor security practices (like post-its with passwords on screens / sequential passwords / etc.)

Most often it is much better from a security standpoint to implement a SSO that yields the program a token with limited value (e.a. time bound) and have the user login to the SSO with a longer valid username/password/2nd factor to prevent abuse.

All of this is assuming you have proper backup strategies and backups simply do not contain password information.

As always there is a benefit to regularly changing your password to prevent all sorts of abuse. Whether the 90 days is good is a local matter.

LvB
  • 8,217
  • 1
  • 26
  • 43