Shostack + Friends Blog Archive


Paper: The Security of Password Expiration

The security of modern password expiration: an algorithmic framework and empirical analysis, by Yingian Zhang, Fabian Monrose and Michael Reiter. (ACM DOI link)

This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account’s password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker’s continued access. We develop a framework by which an attacker can search for a user’s new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration.

This is the sort of work that we at the New School love. Take a best practice recommended by just about everyone for what seems like excellent reasons, and take notice of the fact that human beings are going to game your practice. Then get some actual data, and see how effective the practice is.

Unfortunately, we lack data on rates of compromise for organizations with different password change policies. So it’s hard to tell if password policies actually do any good, or which ones do good. However, we can guess that not making your default password “stratfor” is a good idea.

ACM gets a link because they allow you to post copies of your own papers, rather than inhibiting the progress of science by locking it all up.

2 comments on "Paper: The Security of Password Expiration"

  • We keep harping on passwords and how bad they are, how these credentials don’t work, but we don’t seem to offer much in the way of practical solutions either. The research mentioned in this post is interesting, and I hope your call for actual data is heard.

    Businesses might be able to afford two-factor authentication, but likely only businesses above a size threshold. Smaller businesses and individuals – globally – can’t or won’t afford two-factor authentication (or even single-factor, non-password-based authentication). The problem is that we’ve only ever known that which we know in the I&A domain.

    Passwords suck when they’re not properly cared for. We know this. Any other known form of authentication we have is difficult because of the infrastructure required to pull it off. That sucks too. Does this leave us at a stalemate where we need to get people to care about their passwords?

    If so, there are a finite number of motivational tools we can use to affect how small businesses and individuals view passwords and the importance of their selection and lifecycle.

  • omeron says:

    I’ll take the risk of sounding a moron, but I’ve never understood the importance of passwords. If you can get a hold of the password file, encrypted or not, you probably own the system, so why bother cracking the passwords? If you don’t you can brute force, but any 5 attempts lockout policy will block you (all the available data suggests users go for easy passwords, but even those are not just 5 passwords, but thousands of “easy” passwords). And if I’ll be hacking your system I’ll use an exploit which will help me get some elevated privileges.
    It’s not that passwords are not required, but I think that the emphasis given to them is partly due to the random fact they are the most visible part of information security. Take this list of common passwords: the 5 most common ones are 2.5% of the list and these passwords change between lists. So all in all, I think that we should ask the users for fair passwords, not strong ones and compensate for that with some other bad practices

Comments are closed.