Date: Wed, 20 Apr 2016 22:43:39 +0200 From: Per Thorsheim <per@...rsheim.net> To: passwords@...ts.openwall.com Subject: Mandatory password changes - DIEDIEDIE! *** BACKGROUND *** I have already told quite a few that I am gathering support for a joint statement during PasswordsCon @ BSidesLV in Las Vegas on August 2-3. The statement will simply be something like "stop changing passwords frequently". Frequently changing passwords may have worked 20-30 years ago, when most people only had one, or perhaps a handful of usernames and passwords. Today we have on average 25 (Norwegian survey presented at PasswordsCon Oslo, 2012), and we'll have even more in the future. We can no longer require users to have long & complex passwords, unique to every service & site, and additionally ask them to change them every 30-60-90 days. It create more problems than it solves, it is annoying, counterproductive and may result in users deliberately break security policies in order to get their work done. I have said this for years. *** ARTICLES / RECOMMENDATIONS / RESEARCH *** In the fall of 2015 the British CESG, part of Britain's GCHQ, released new guidance on password security. Perhaps the biggest surprise was them changing their advice on regular password expiry. In this article from April 11, 2016, they give the short explanation why: https://www.cesg.gov.uk/articles/problems-forcing-regular-password-expiry On March 2, 2016, Lorrie Faith Cranor at FTC (formerly at CMU), wrote this blog post where scientific research also says that mandatory password change isn't a good idea any more: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes I know there is tons more of opinions, (academic) research, penetration test results etc that shows the exact same thing: mandatory password changes should die ASAP. It would be for the better for security AND for usability for all of us. I also know that I already have with me security professionals, hackers, researchers, companies and organisations on this, and if you do agree on this I'd like to have you onboard as well. *** HOW TO CONTRIBUTE *** 1. PRO ARGUMENTS If you have any kind of original statistics, research, well-written blog posts, visualisations or anything else that may contribute to this, please let me know. I would like to gather links and organize them into a nice FAQ. 2. COUNTER ARGUMENTS Just as important, I need to collect "all possible reasons" for WHY you or anyone else would like to continue enforcing mandatory password changes on a frequent basis, say once a year or more often. Please, don't reply with "compliance", or "law". We can and will change that, even though it may take some time to apply common sense globally. A reasonable argument could be a need to clean up a large user database, where login time/date info doesn't exist, or cannot be trusted. By setting a password expiry time/date, account administrators may identify unused accounts after a period of time for closer inspection, disablement and finally deletion. I will also try to gather as many of these counter arguments into a FAQ as well, with reasonable advice on why/not for as much as possible. ---- Any other suggestions highly appreciated, this is work in progress! Best regards, Per Thorsheim Founder, passwordscon.org
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.