Password expiration policies: quantifying assumed security benefits
Paul van Oorschot, Carleton University
July 7, 2016 10:30am, in M3 3127
Many enterprise security policies enforce "password aging", i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less. We provide a detailed analysis pursuing the question "What security advantage is delivered by password expiration policies?". We find that the benefits are far less than expected.
Paul C. Van Oorschot is a Professor of Computer Science at Carleton University in Ottawa, where he is Canada Research Chair in Authentication and Computer Security. He is a Fellow of the Royal Society of Canada (FRSC), Canada's national academy. He is Program co-Char of NSPW 2014 and 2015, was Program Chair of USENIX Security 2008, Program co-Chair of NDSS 2001 and 2002, and co-author of the Handbook of Applied Cryptography (2001). He has served on the editorial boards of IEEE TDSC, IEEE TIFS, and ACM TISSEC, and as Scientific Director of NSERC ISSNet (2008-2013), a pan-Canadian strategic research network exploring computer and Internet security. His current research interests include authentication and identity management, security and usability, smartphone security, software security, and generally computer and Internet security.