![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
terrikoYet another crosspost. Been a little while for the security blog, but there's always neat stuff coming out of ACM CCS. I expect I'll hear more about it when I head in to work this week.
I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:
And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be the first large-scale study on password expiration, and they found it wanting.
(Read the rest here.)
I've heard a lot of arguments as to why expiring passwords likely won't help. Here's a few:
- It's easy to install malware on a machine, so the new password will be sniffed just like the old.
- It costs more: frequent password changes result in more forgotten passwords and support desk calls.
- It irritates users, who will then feel less motivated to implement to other security measures.
- Constantly forcing people to think of new, memorable passwords leads to cognitive shortcuts like password-Sep, password-Oct, password-Nov...
And yet, many organizations continue to force regular password changes in order to improve security. But what if that's not what's really happening? Three researchers from the University of North Carolina at Chapel Hill have unveiled what they claim to be the first large-scale study on password expiration, and they found it wanting.
(Read the rest here.)