Many security policies force users to change passwords within fixed intervals, with the apparent justification that this improves overall security. However, the implied security benefit has never been explicitly quantified. In this note, we quantify the security advantage of a password expiration policy, finding that the optimal benefit is relatively minor at best, and questionable in light of overall costs.
This is a preview of subscription content, log in to check access.
Buy single article
Instant access to the full article PDF.
Price includes VAT for USA
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
This is the net price. Taxes to be calculated in checkout.
These probabilities are unknown and change across datasets; estimates are used, based on large datasets accumulated from prior compromises, or from heuristic tools.
More precisely, this is for \(\beta \) guesses per account. The optimal attack tries the most probable password on each account, then the next most probable, etc.
If this is counter-intuitive, note that an attack which guesses key candidates in a fixed sequence actually benefits from a key change if the original target key is more distant in the guessing sequence than the newly updated key. In our analogous problem herein, the implication is that a successful guessing attack cannot be prevented even if a user changes their password continuously, as quickly as system interfaces allow.
Bonneau J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: IEEE 2012 Symposium on Security and Privacy.
Bonneau J., Herley C., van Oorschot P.C., Stajano F.: The past, present, and future of password-based authentication on the web. Commun. ACM (2015, to appear).
Burr W., Dodson D.F., Polk W.T., (eds). Electronic authentication guideline. NIST Special Pub 800–63 Version 1.0, June 2004 (Later versions include Burr et al., NIST SP-800-63-2, Aug 2013).
Cheswick W.: Rethinking passwords. Commun. ACM 56(2), 40–44 (2013).
Curry D.A.: UNIX System Security: A Guide for Users and System Administrators. Addison-Wesley, Boston (1992).
Desmedt Y.G.: Unconditionally secure authentication schemes and practical and theoretical consequences. In: Advances in Cryptology—CRYPTO’85 Proceedings, LNCS, vol. 218, pp. 42–55. Springer, Berlin (1986).
van Dijk M., Juels A., Oprea A., Rivest R.L.: FlipIt: the game of “stealthy takeover”. J. Cryptol. 26(4), 655–713 (2013).
Florencio D., Herley C.: Where do security policies come from? In: ACM SOUPS (2010).
Florencio D., Herley C., van Oorschot P.C.: An administrator’s guide to internet password research. In: USENIX LISA (2014).
Herley C., van Oorschot P.C.: A research agenda acknowledging the persistence of passwords. IEEE Secur. Priv. 10(1), 28–36 (2012).
Gage Kelley P., et al.: Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. In: IEEE 2012 Symposium on Security and Privacy.
Mazurek M., et al.: Measuring password guessability for an entire university. In: ACM CCS (2013).
Narayanan A., Schmatikov V.: Fast dictionary attacks on passwords using time-space tradeoff. In: ACM CCS (2005).
Quisquater J.-J., Desmedt Y.G.: Chinese lotto as an exhaustive code-breaking machine. IEEE Comput. 24(11), 14–22 (1991).
Schechter S., Herley C., Mitzenmacher M.: Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: USENIX HotSec (2010).
Weir M., Aggarwal S., de Medeiros B., Glodek B.: Password cracking using probabilistic context-free grammars. In: IEEE 2009 Symposium on Security and Privacy.
Weir M., Aggarwal S., Collins M., Stern H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: ACM CCS (2010).
Zhang Y., Monrose F., Reiter M.K.: The security of modern password expiration: an algorithmic framework and empirical analysis. In: ACM CCS (2010).
We thank Joseph Bonneau and anonymous referees for insightful comments which have improved this paper. Both authors acknowledge funding from Canada’s NSERC for Canada Research Chair and Discovery Grant funding.
This is one of several papers published in Designs, Codes and Cryptography comprising the “Special Issue on Cryptography, Codes, Designs and Finite Fields: In Memory of Scott A. Vanstone”.
About this article
Cite this article
Chiasson, S., van Oorschot, P.C. Quantifying the security advantage of password expiration policies. Des. Codes Cryptogr. 77, 401–408 (2015). https://doi.org/10.1007/s10623-015-0071-9
- Password security in digital systems
- Password aging
- Password expiration
- Guessing attacks
Mathematics Subject Classification