Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Apr 2016 22:43:39 +0200
From: Per Thorsheim <>
Subject: Mandatory password changes - DIEDIEDIE!


I have already told quite a few that I am gathering support for a joint
statement during PasswordsCon @ BSidesLV in Las Vegas on August 2-3.

The statement will simply be something like "stop changing passwords

Frequently changing passwords may have worked 20-30 years ago, when most
people only had one, or perhaps a handful of usernames and passwords.
Today we have on average 25 (Norwegian survey presented at PasswordsCon
Oslo, 2012), and we'll have even more in the future.

We can no longer require users to have long & complex passwords, unique
to every service & site, and additionally ask them to change them every
30-60-90 days. It create more problems than it solves, it is annoying,
counterproductive and may result in users deliberately break security
policies in order to get their work done.

I have said this for years.


In the fall of 2015 the British CESG, part of Britain's GCHQ, released
new guidance on password security. Perhaps the biggest surprise was them
changing their advice on regular password expiry. In this article from
April 11, 2016, they give the short explanation why:

On March 2, 2016, Lorrie Faith Cranor at FTC (formerly at CMU), wrote
this blog post where scientific research also says that mandatory
password change isn't a good idea any more:

I know there is tons more of opinions, (academic) research, penetration
test results etc that shows the exact same thing: mandatory password
changes should die ASAP. It would be for the better for security AND for
usability for all of us.

I also know that I already have with me security professionals, hackers,
researchers, companies and organisations on this, and if you do agree on
this I'd like to have you onboard as well.


If you have any kind of original statistics, research, well-written blog
posts, visualisations or anything else that may contribute to this,
please let me know. I would like to gather links and organize them into
a nice FAQ.

Just as important, I need to collect "all possible reasons" for WHY you
or anyone else would like to continue enforcing mandatory password
changes on a frequent basis, say once a year or more often. Please,
don't reply with "compliance", or "law". We can and will change that,
even though it may take some time to apply common sense globally.

A reasonable argument could be a need to clean up a large user database,
where login time/date info doesn't exist, or cannot be trusted. By
setting a password expiry time/date, account administrators may identify
unused accounts after a period of time for closer inspection,
disablement and finally deletion.

I will also try to gather as many of these counter arguments into a FAQ
as well, with reasonable advice on why/not for as much as possible.


Any other suggestions highly appreciated, this is work in progress!

Best regards,
Per Thorsheim

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.