Password Aging Policies and Quantifying Security Advantages

Date

July 9, 2015

Speaker

Paul Van Oorschot

Affiliation

Carleton University

Overview

Many enterprise security policies enforce “password aging”, i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less. We provide a detailed analysis pursuing the question “What security advantage is delivered by password expiration policies?”. We find that the benefits are far less than expected.

Speakers

Paul Van Oorschot

See “Short biography” at http://people.scs.carleton.ca/~paulv/personal.pvo.html