Designs, Codes and Cryptography

, Volume 77, Issue 2–3, pp 401–408 | Cite as

Quantifying the security advantage of password expiration policies

  • Sonia Chiasson
  • P. C. van OorschotEmail author


Many security policies force users to change passwords within fixed intervals, with the apparent justification that this improves overall security. However, the implied security benefit has never been explicitly quantified. In this note, we quantify the security advantage of a password expiration policy, finding that the optimal benefit is relatively minor at best, and questionable in light of overall costs.


Authentication Password security in digital systems  Password aging Password expiration Guessing attacks 

Mathematics Subject Classification

94A62 68W40 68U35 68N25 94A60 



We thank Joseph Bonneau and anonymous referees for insightful comments which have improved this paper. Both authors acknowledge funding from Canada’s NSERC for Canada Research Chair and Discovery Grant funding.


  1. 1.
    Bonneau J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE 2012 Symposium on Security and Privacy.Google Scholar
  2. 2.
    Bonneau J., Herley C., van Oorschot P.C., Stajano F.: The past, present, and future of password-based authentication on the web. Commun. ACM (2015, to appear).Google Scholar
  3. 3.
    Burr W., Dodson D.F., Polk W.T., (eds). Electronic authentication guideline. NIST Special Pub 800–63 Version 1.0, June 2004 (Later versions include Burr et al., NIST SP-800-63-2, Aug 2013).Google Scholar
  4. 4.
    Cheswick W.: Rethinking passwords. Commun. ACM 56(2), 40–44 (2013).Google Scholar
  5. 5.
    Curry D.A.: UNIX System Security: A Guide for Users and System Administrators. Addison-Wesley, Boston (1992).Google Scholar
  6. 6.
    Desmedt Y.G.: Unconditionally secure authentication schemes and practical and theoretical consequences. In: Advances in Cryptology—CRYPTO’85 Proceedings, LNCS, vol. 218, pp. 42–55. Springer, Berlin (1986).Google Scholar
  7. 7.
    van Dijk M., Juels A., Oprea A., Rivest R.L.: FlipIt: the game of “stealthy takeover”. J. Cryptol. 26(4), 655–713 (2013).Google Scholar
  8. 8.
    Florencio D., Herley C.: Where do security policies come from? In: ACM SOUPS (2010).Google Scholar
  9. 9.
    Florencio D., Herley C., van Oorschot P.C.: An administrator’s guide to internet password research. In: USENIX LISA (2014).Google Scholar
  10. 10.
    Herley C., van Oorschot P.C.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012).Google Scholar
  11. 11.
    Gage Kelley P., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: IEEE 2012 Symposium on Security and Privacy.Google Scholar
  12. 12.
    Mazurek M., et al.: Measuring password guessability for an entire university. In: ACM CCS (2013).Google Scholar
  13. 13.
    Narayanan A., Schmatikov V.: Fast dictionary attacks on passwords using time-space tradeoff. In: ACM CCS (2005).Google Scholar
  14. 14.
    Quisquater J.-J., Desmedt Y.G.: Chinese lotto as an exhaustive code-breaking machine. IEEE Comput. 24(11), 14–22 (1991).Google Scholar
  15. 15.
    Schechter S., Herley C., Mitzenmacher M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: USENIX HotSec (2010).Google Scholar
  16. 16.
    Weir M., Aggarwal S., de Medeiros B., Glodek B.: Password cracking using probabilistic context-free grammars. In: IEEE 2009 Symposium on Security and Privacy.Google Scholar
  17. 17.
    Weir M., Aggarwal S., Collins M., Stern H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: ACM CCS (2010).Google Scholar
  18. 18.
    Zhang Y., Monrose F., Reiter M.K.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: ACM CCS (2010).Google Scholar

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  1. 1.School of Computer ScienceCarleton UniversityOttawaCanada

Personalised recommendations