Requiring users to change passwords periodically is established IT dogma. For a long time I’ve suspected that the periodic forced changes that have become de rigueur for modern enterprises are actually counterproductive. Until now however, there has been little serious research into the issue, and I have been unable to intelligently defend my position. I just resort to vague hand-waving arguments about frustrating users and encouraging bad behavior involving yellow sticky notes.
Last year, Yinqian Zhang, Fabian Monrose, and Michael K. Reiter, at the University of North Carolina at Chapel Hill conducted the first large-scale study of the success of password expiration as a security strategy. They report their findings in The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis. It’s a good read. They propose an algorithm for guessing passwords based on having cracked a previous password from the same user. They used a data set of 51,141 MD5 password hashes which represented from 4 to 15 passwords for some 10,374 users over a five year period. Overall, among the 7,936 users for which they cracked at least one password, they broke all the passwords belonging to 54% of the users, and broke at least half in 90% of the cases. Their results are impressive: On average, 41% of passwords can be broken from an old password in under 3 seconds.
They conclude: “We believe our study calls into question the continued use of expiration and, in the longer term, provides one more piece of evidence to facilitate a move away from passwords altogether.”