m33x/password_expiration.txt

## password_expiration.txt
# Some Standards Bodies (as of May 2019)
### Pro Password Expiration
- PCI DSS (Visa, Mastercard), BSI (DE)

### Contra Password Expiration
- Academia, NIST (USA), NCSC (UK)

# Some recent research and comments on the negative consequences of enforcing password expiration
2010 - Where Do Security Policies Come From?
https://cups.cs.cmu.edu/soups/2010/proceedings/a10_florencio.pdf

2010 - The True Cost of Unusable Password Policies: Password Use in the Wild
https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf

2010 - The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis
http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf

2014 - United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study
https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf

2015 - Quantifying the Security Advantage of Password Expiration Policies
http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

2015 - Why we hate IT: Two surveys on pre‐generated and expiring passwords in an academic setting
https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1184

2016 - The Problems with Forcing Regular Password Expiry
https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

2016 - Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

2016 - Revisiting Password Rules: Facilitating Human Management of Passwords
http://people.scs.carleton.ca/~paulv/papers/eCrime2016pwdrules.pdf

2018 - User Behaviors and Attitudes Under Password Expiration Policies
https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-password.pdf


# Some related sources showing that users will change their passwords in very predictable ways

2014 - The Tangled Web of Password Reuse
http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf

2016 - Targeted Online Password Guessing: An Underestimated Threat
http://wangdingg.weebly.com/uploads/2/0/3/6/20366987/ccs16_final_v12.pdf

2016 - Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-wash.pdf

2018 - “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications
https://www.mobsec.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2018/09/10/ccsf266-finalv1.pdf

2018 - Abusing Password Reuse at Scale: Bcrypt and Beyond
https://www.youtube.com/watch?v=5su3_Py8iMQ

2018 - Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis
http://faculty.cs.tamu.edu/guofei/paper/PasswordReuse-TDSC.pdf

2019 - Beyond Credential Stuffing: Password Similarity Models using Neural Networks
https://www.cs.cornell.edu/~rahul/papers/ppsm.pdf
	# Some Standards Bodies (as of May 2019)
	### Pro Password Expiration
	- PCI DSS (Visa, Mastercard), BSI (DE)

	### Contra Password Expiration
	- Academia, NIST (USA), NCSC (UK)

	# Some recent research and comments on the negative consequences of enforcing password expiration
	2010 - Where Do Security Policies Come From?
	https://cups.cs.cmu.edu/soups/2010/proceedings/a10_florencio.pdf

	2010 - The True Cost of Unusable Password Policies: Password Use in the Wild
	https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf

	2010 - The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis
	http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf

	2014 - United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study
	https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf

	2015 - Quantifying the Security Advantage of Password Expiration Policies
	http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

	2015 - Why we hate IT: Two surveys on pre‐generated and expiring passwords in an academic setting
	https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1184

	2016 - The Problems with Forcing Regular Password Expiry
	https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

	2016 - Time to rethink mandatory password changes
	https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

	2016 - Revisiting Password Rules: Facilitating Human Management of Passwords
	http://people.scs.carleton.ca/~paulv/papers/eCrime2016pwdrules.pdf

	2018 - User Behaviors and Attitudes Under Password Expiration Policies
	https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-password.pdf


	# Some related sources showing that users will change their passwords in very predictable ways

	2014 - The Tangled Web of Password Reuse
	http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf

	2016 - Targeted Online Password Guessing: An Underestimated Threat
	http://wangdingg.weebly.com/uploads/2/0/3/6/20366987/ccs16_final_v12.pdf

	2016 - Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
	https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-wash.pdf

	2018 - “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications
	https://www.mobsec.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2018/09/10/ccsf266-finalv1.pdf

	2018 - Abusing Password Reuse at Scale: Bcrypt and Beyond
	https://www.youtube.com/watch?v=5su3_Py8iMQ

	2018 - Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis
	http://faculty.cs.tamu.edu/guofei/paper/PasswordReuse-TDSC.pdf

	2019 - Beyond Credential Stuffing: Password Similarity Models using Neural Networks
	https://www.cs.cornell.edu/~rahul/papers/ppsm.pdf