Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 21 Apr 2016 11:04:46 -0400
From: Matt Weir <>
Subject: Re: Mandatory password changes - DIEDIEDIE!

My biggest issue with mandatory password change policies is decision makers
often use the wrong threat model when considering if it is worthwhile.

The theory that mandatory password change policies help protect against an
advanced adversary, (what people typically think of as a hacker), is as far
as I can tell, unfounded. I don't think I need to go into this point in too
much detail considering the current audience here, but if you are looking
for published studies on how hard it is to crack passwords with a PW change
policies in place, the following paper from the University of North
Carolina is the gold standard:

As far as the opinion of industry experts/ red team members goes, I'd
recommend checking out any talk from Rick Redman. Here is a good example of

While much more anecdotal, I've personally never talked to anyone
performing penetration tests or in the password cracking community who
said, "I would have broken into that system, but I was stopped by a
password change policy". If anyone here has a story about password change
policies being effective against hackers, I would be *highly* interested in
hearing about it.


So when it comes to pro arguments for password change policies there are
two other ones I can think of, one of which I'll vouch for. First though
one that I'm not a huge fan of.

1) Mandatory password change policies can help protect sites from users who
employ password reuse across multiple sites.

Users re-use passwords. This shouldn't be a controversial statement. Having
a policy that users must use a unique password is also unenforceable. Yes a
site can add that in their EULA, but there's no way they can guarantee a
user has a unique password without assigning one to the user. This is where
password change policies come in. The thinking goes that by forcing the
user to change their password the site can eventually force a user to
change their password to something else that isn't the same as other
passwords they have used.

My biggest counterargument to this is that attackers have taken this into
account when re-using stolen credentials against other sites. There was a
great article about this that for the life of me I can't find, though if I
do I'll go ahead and post it, that talks about variations of stolen
passwords being used against accounts on a popular gaming server,m (I'm
pretty sure it was RIFT). Long story short, there is some truth to this
theory for making users change their passwords, but the protection provided
is usually more limited then expected and the user frustration is high. A
counter-argument could even be made that this encourages password re-use
instead since users are less likely to use a unique password if they have
to change it.

2) Password change policies protect against insider threats and unskilled

This is a reason that I do think is valid in certain settings. People share
their password with co-workers. Sometimes their co-workers then abuse the
access they have. Often the co-worker in question is not a skilled hacker.
I can't point to any public data on this, but I have heard of multiple
instances where attackers were detected based on them locking a legitimate
user's account due to trying old passwords after the user changed their
password. There's almost certainly even more instances where the attacker
might not be detected, but due to the password change they can no longer
carry out their attack. Now in this instance most of their "attacks" are
along the lines of reading a colleague's e-mail, but still that's something
that's worth protecting against.

Due to that threat model I still think mandatory password changes have
their place in a corporate environment.  I'm not a huge fan of them for
websites though. So this gets back to my original point that you need to
have an accurate threat model in mind when designing these policies, and I
suspect most policy makers are using the wrong threat model.


On Wed, Apr 20, 2016 at 4:43 PM, Per Thorsheim <> wrote:

> *** BACKGROUND ***
> I have already told quite a few that I am gathering support for a joint
> statement during PasswordsCon @ BSidesLV in Las Vegas on August 2-3.
> The statement will simply be something like "stop changing passwords
> frequently".
> Frequently changing passwords may have worked 20-30 years ago, when most
> people only had one, or perhaps a handful of usernames and passwords.
> Today we have on average 25 (Norwegian survey presented at PasswordsCon
> Oslo, 2012), and we'll have even more in the future.
> We can no longer require users to have long & complex passwords, unique
> to every service & site, and additionally ask them to change them every
> 30-60-90 days. It create more problems than it solves, it is annoying,
> counterproductive and may result in users deliberately break security
> policies in order to get their work done.
> I have said this for years.
> In the fall of 2015 the British CESG, part of Britain's GCHQ, released
> new guidance on password security. Perhaps the biggest surprise was them
> changing their advice on regular password expiry. In this article from
> April 11, 2016, they give the short explanation why:
> On March 2, 2016, Lorrie Faith Cranor at FTC (formerly at CMU), wrote
> this blog post where scientific research also says that mandatory
> password change isn't a good idea any more:
> I know there is tons more of opinions, (academic) research, penetration
> test results etc that shows the exact same thing: mandatory password
> changes should die ASAP. It would be for the better for security AND for
> usability for all of us.
> I also know that I already have with me security professionals, hackers,
> researchers, companies and organisations on this, and if you do agree on
> this I'd like to have you onboard as well.
> If you have any kind of original statistics, research, well-written blog
> posts, visualisations or anything else that may contribute to this,
> please let me know. I would like to gather links and organize them into
> a nice FAQ.
> Just as important, I need to collect "all possible reasons" for WHY you
> or anyone else would like to continue enforcing mandatory password
> changes on a frequent basis, say once a year or more often. Please,
> don't reply with "compliance", or "law". We can and will change that,
> even though it may take some time to apply common sense globally.
> A reasonable argument could be a need to clean up a large user database,
> where login time/date info doesn't exist, or cannot be trusted. By
> setting a password expiry time/date, account administrators may identify
> unused accounts after a period of time for closer inspection,
> disablement and finally deletion.
> I will also try to gather as many of these counter arguments into a FAQ
> as well, with reasonable advice on why/not for as much as possible.
> ----
> Any other suggestions highly appreciated, this is work in progress!
> Best regards,
> Per Thorsheim
> Founder,

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.