Wednesday, April 20, 2016

“The Problems With Forcing Regular Password Expiry” ↦

The British government’s main electronic security advisory group, the CESG, published some password guidelines late last year. One guideline that was, perhaps, a little surprising is that they now recommend against requiring users to regularly change their passwords:

It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn’t, it turns out, stand up to a rigorous, whole-system analysis.

I could not possibly agree more. Requiring frequent password changes is the software equivalent of taking your shoes off at the airport: useless security theater, giving the appearance of increasing security while actually accomplishing the opposite.