Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
On Password Expiration - Or why the BSI needs to act now!
# Some Standards Bodies (as of May 2019)
### Pro Password Expiration
- PCI DSS (Visa, Mastercard), BSI (DE)
### Contra Password Expiration
- Academia, NIST (USA), NCSC (UK)
# Some recent research and comments on the negative consequences of enforcing password expiration
2010 - Where Do Security Policies Come From?
2010 - The True Cost of Unusable Password Policies: Password Use in the Wild
2010 - The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis
2014 - United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study
2015 - Quantifying the Security Advantage of Password Expiration Policies
2015 - Why we hate IT: Two surveys on pre‐generated and expiring passwords in an academic setting
2016 - The Problems with Forcing Regular Password Expiry
2016 - Time to rethink mandatory password changes
2016 - Revisiting Password Rules: Facilitating Human Management of Passwords
2018 - User Behaviors and Attitudes Under Password Expiration Policies
# Some related sources showing that users will change their passwords in very predictable ways
2014 - The Tangled Web of Password Reuse
2016 - Targeted Online Password Guessing: An Underestimated Threat
2016 - Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
2018 - “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications
2018 - Abusing Password Reuse at Scale: Bcrypt and Beyond
2018 - Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis
2019 - Beyond Credential Stuffing: Password Similarity Models using Neural Networks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.