Does requiring users to regularly change their passwords really improve security ?

Add to my custom PDF

Quantifying the Security Advantage of Password Expiration Policies

A common security policy is to require that users change their passwords at regular intervals. The actual benefit from this practice has never been closely evaluated. Although a regular change in password might improve security in some scenarios, for example by ending access of an adversary who has already breached the account, any added resistance against new attacks is not clear. As a strategy against modern attack methods, on the other hand, a strict password change policy may not significantly improve security.

Chiasson and van Oorschot assess the degree to which password expiration policies can add a security advantage. Their model relates the length of the password expiration period to the time required for an attacker to test all key ciphers, and considers both the best case and real world conditions of password use. A randomly generated password is the best case scenario for security policies. In real-world conditions though, passwords are often of varying length and are usually not randomly generated. Instead, real-world passwords often follow predictable patterns, such as a variation of a previous password or one of a set of commonly selected passwords. Consequently, these are more easily guessed. This points to the importance of usability in security policies. It is reasonable to expect that users will resist changing their password. As such, an effective expiration period must match the users`ability to comply.

When an attacker guesses repeatedly, their chance of success is greater; an adversary is almost certain to succeed by continually cycling their password guesses. Under best case conditions, there is a small security benefit from requiring regular changes in password. The likelihood of successful attack can be reduced from 100%, to a 63% probability of successful attack. In this best case, the security benefit from password expiration policies are minor and may not outweigh the cost to the user.

The capacity of users to manage password changes should be considered in the design of a password expiration policy, in particular the length of time before a password must be changed.

Overly frequent password changes do little to reduce the risk of compromise and could result in users choosing simpler, more guessable passwords.