Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Are there any studies for or against frequent password changes?

Tags:

security

passwords

I'm looking for studies on the security effect of frequent password changes, looking at the security benefits / problems from having a mandatory password change every one or two months or similar.

Does anyone know of any?

like image 368
henriksen Avatar asked Apr 20 '09 07:04

henriksen

People also ask

Is it good to change your password frequently?

According to Thytoctic, 80% of all cyber security attacks involve a weak or stolen password. Changing your password quarterly reduces your risk of exposure and avoids a number of IT Security dangers. Unfortunately, passwords are often neglected.

Why are passwords changed every 90 days?

The idea is if your password is compromised, by changing your password every 90 days you prevent the bad guy from getting in.

What percentage of people never or rarely change their passwords?

Overall, 29.4% of respondents change their passwords rarely or never: 10.9% of respondents say they never change their passwords. 18.5% change their passwords only when they've been notified of a security issue.

How often should someone change their password?

Changing passwords periodically is a good way to keep them safe from hackers. Security experts recommend you change your password every quarter or every three months. Multi-factor authentication is one way you can beef up the security of those passwords along with frequent password changes.

1 Answers

Here is a research article on password policy. It mentions the frequency at which people should change their passwords and some other really interesting stuff. Below is an extract.

Some experts say that periodic password changes will reduce the damage if an attacker intercepts a password: once the password is changed, the attacker is locked out. This assumes that the recovered password will not give the attacker any hints about the victim's current password. In fact, periodic password changes tend to encourage people to design sequences of passwords, like secret01a, secret01b, secret01c, and so on.

This allows users to easily choose and remember a new password when the old one expires. Such sequences are usually pretty obvious to an attacker, so any one of the victim's old passwords will probably provide the attacker with a reasonably small number of passwords to guess at.

like image 191
Sam152 Avatar answered Oct 16 '22 02:10

Sam152
Sign in to Comment

Related questions

ASP.NET Session Mix-up using StateServer (SCARY!)
Is the Parse SDK worth it? (cost-effective?) [closed]
What are the default security groups created when I set up AWS EB for the first time?
SQL Linked Server returns error "no login-mapping exists" when non-admin account is used
How secure is your password in LDAP?
Does my code prevent directory traversal?
Is it a bad practice to expose the database ID to the client in your REST API?
Is there any danger to creating UUID in Javascript client-side?
How to demonstrate an exploit of extract($_POST)?
API design and security: Why hide internal ids?
TeamCity build agent becomes disconnected after adding self-signed https certificate to teamcity
Prevent redirect to login for Spring Security
AES Encryption and C#
How to request a URL that requires a client certificate for authentication
Are IDs (ObjectIds from mongo) safe to use in a URL?
Why does the URL http://a/%%30%30 crash Google Chrome?
How to hide secret keys in Google Colaboratory from users having the sharing link?
Why is Net::HTTP's set_debug_output dangerous if used in production?
Programmatically Adding Permissions to a Folder
Is it secure way to store private values in .env file?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!