Skip to main content

How does changing your password every 90 days increase security?

Before answering whether it does help or it does not help, it makes sense to look at specific scenarios. (That's often a good idea when dealing with security measurements.)

In what situations does a forced-password-change mitigate impact?

The attacker knows the password of a user but has no backdoor. He does not want to be discovered, so he does not change the password himself.
Let's see if this scenario is likely:

How might he have learned the password?

  • The victim might have told him (e. g. a new intern who should start working before he gets his own account setup, another person who should level an account in an online game
  • The attacker might have watched the keyboard
  • The attacker might have had access to another password database in which the user used the same password
  • A one time only login using a computer owned (prepared) by an attacker.

What might have prevented him from setting up a backdoor?

  • The service in question may not provide a way for backdoors, for example an email inbox or common web applications
  • The privileges of the user may not have sufficient permission to install a backdoor
  • The attacker might miss the required knowledge (in the online game Stendhal most "hacks" are done by angry siblings who just want to destroy some toy)
  • The attacker might not have turned evil yet. (e. g. an employee that will be fired next month but does not suspect anything at the moment).

Why not use forced password expire?

It can be very annoying to users causing them to just add a counter at the end. This might decrease the entropy of passwords. According to my experience it generates additional support costs because people forget their new password more often than usual. I guess that is caused by the change password prompt catching them off guard while they are busy thinking about something else.

To conclude

It is far from a cure-all and it has a negative impact on usability, but it does make sense to balance that against the likelihood and impact of scenarios similar to the one I described above.

Comments

Post a Comment