This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Password Periodic Changes
Password Periodic Changes

Version management

Difference between version and

At line 1 added 22 lines
!!! Overview
[{$pagename}] or Forced [Password Change] are a long-standing security practice designed to periodically lock out unauthorized users who have learned users’ [passwords].
While some experts began [questioning this practice|http://cups.cs.cmu.edu/passwords.html|target='_blank'] at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. A few peer-reviewed papers that address this issue:
* [Microsoft- removing password-expiration policies|https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/|target='_blank']
** "When [humans] are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords."
* [The Security of Modern Password Expiration An Algorithmic Framework and Empirical Analysis|https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf|target='_blank']
* [Quantitative measure of the impact of password expiration policies|http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf|target='_blank']
* [Time to rethink mandatory password changes|https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes|target='_blank']
[NIST.SP.800-63B] ([2016|Year 2016]) and Microsoft and [Bruce Schneier] recommend that passwords [SHOULD NOT] be arbitrarily expired after some interval.
The [National Institute of Standards and Technology] ([NIST]) explained in a [2009|Year 2009] publication on enterprise password management that while password expiration mechanisms are "beneficial for reducing the impact of some password compromises", they are "__ineffective__ for others" and "[often a source of __frustration__ to users.|user Experience]" They went on to encourage [organizations|Organizational Entity] to balance [security] and [usability] needs, outlining some factors to consider. [NIST] emphasized that other aspects of password policies may have greater benefits than mandatory expiration, including requirements for password length and complexity, as well as use of slow [hash Functions] with well-chosen “[salt]” (a technique to make sure that if two users have the same password they won’t look the same when hashed).
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [questioning this practice|http://cups.cs.cmu.edu/passwords.html|target='_blank'] - based on information obtained 2019-07-13
* [#2] - [Microsoft- removing password-expiration policies|https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/|target='_blank'] - based on information obtained 2019-07-13
* [#3] - [Quantitative measure of the impact of password expiration policies|http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf|target='_blank'] - based on information obtained 2019-07-13
* [#4] - [Time to rethink mandatory password changes|https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes|target='_blank'] - based on information obtained 2019-07-13
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop