Password expiration best practices?
February 27, 2006 11:16 AM   Subscribe

Is there an "industry standard" for password expiration periods?

With the understanding that it depends on the "industry," and ultimately at the company/agency level, can a broad generalization be made that most corporate environments enforce {x}-day password expiration periods -- be it 30 days, 45 days, 60 days, 90 days, etc.? Is there a default starting point for IT security wonks?

There are some commonalities in password policies - longer than 8 characters, mixed characters, don't reuse old passwords, etc., but I've seen a huge range in expiration periods, all the way up to none.

Any security guys here who can point to some acronymed standards body or guideline with a number? Or will it always be, "it depends"?
posted by pzarquon to Computers & Internet (18 answers total) 1 user marked this as a favorite
Go empiric. Keep shortening the period until you find > 10% of calls to your company help desk are for password resets. (Then fire the top ten percent most frequent requestors, and repeat, until you'd have to fire someone higher than you in the pecking order.)
posted by orthogonality at 11:24 AM on February 27, 2006


And let me be the first to say 'Expiring passwords doesn't help.'

Here's the problem. Frequently expiring passwords makes it much harder for your users to remember them. This causes two problems.

1) Weak passwords, as they keep trying to come up with new ones, and almost always evolve an "orbit" of passwords.

2) Support costs, as you deal with frequent failed password changes.

I'm with Bruce Schnier on this. Don't expire. As a matter of fact, let them write them down -- as long as they treat that piece of paper as the important piece of paper it is. The rule I use is "That peice of paper is a $50 bill. Would you leave it lying on your desk?"

If you're really paranoid, make them write it on a $50. A far bigger problem than people writing down passwords is weak passwords -- and expiring them doesn't help that, indeed, it makes that problem worse.

You can, via strong passwords, attempt to force strong passwords. Your support costs will climb as you do so, as your users fight to come up with legal passwords, and then forget them. Or, they'll simply give up and write them down on a post-it note.

I'd rather they spend the time to learn one good password a year, rather than try to learn a dozen or more, or worse, come up with a weak password. Heck, if they stick a peice of paper in thier wallet with the strong password, so much the better.

Just as long as they treat that peice of paper like money, it'll be far more secure than most passwords.
posted by eriko at 11:24 AM on February 27, 2006

I think it's past time to recognize that any security system that works in direct opposition to what we know about human attention and memory is fundamentally flawed.

But to answer the question, "it depends."
posted by KirkJobSluder at 11:29 AM on February 27, 2006

Here, a real example of what they said.
posted by kcm at 11:30 AM on February 27, 2006

Best answer: Good points, but perhaps points pzarquon's boss won't be interested in. Doing security at various government agencies i can tell you anecdotally that I have seen password ages range anywhere from 30 to 90 days.

The documentation which most agencies follow as a guideline are the NIST Special Publications, here

I'm trying to find one that speaks to password aging.
posted by poppo at 11:32 AM on February 27, 2006

Both high tech companies I've worked for have 45 expiry dates on passwords. And my current employer uses the same rules as in kcm's link.

If they add L33t5p34k to the list of dont's I'm going have to go to writing new passwords down.
posted by birdherder at 11:42 AM on February 27, 2006

Ok, what NIST and FIPS say is simply that you should set a maximum password age, not what that value should be, so as Kirk says, it depends. Depends on the value of the data you need to protect. Really valuable, maybe 30 days, not so much, maybe 60 or 90.
posted by poppo at 11:43 AM on February 27, 2006

Don't expire, and make sure your character length is long enough to allow for pass phrases instead of passwords, pass phrases being easier to remember and more effective anyway (also a Shnier fan).

"I didn't want to tell her, but she made me 13* madder than I had expected!" is a lot more secure than fgH2S~9r, and much easier to remember.

I cannot stand when a web site requires I log in, then disallows passwords over a certain length (like 8 chars, typically) or disallows special characters. You WANT an insecure site? And you're saving what, 150k in password space on a site like Hotmail?
posted by Imperfect at 11:58 AM on February 27, 2006

What drives me bonkers here at work is that network access and each peice of software have their own requirements (in one, your login is your full name, in another it's your first initial & last name in full, in yet another it's your first inital & last name truncated to six characters). The passwords expire at different times like our payroll software password is good for 90 days, IIRC, while our financials software requires a change every 30, and a client database requires a change every 45.

It would be great if there was some kind of consistency.
posted by raedyn at 12:06 PM on February 27, 2006

Never expire is the best policy. Anything else, from my personal experience as a support grunt for a medium sized college, results in sticky notes on the monitor with this month's password on them.

Think of it like this: Imagine if every month you had to get a new lock installed on your door. How quickly would you just start leaving the door unlocked? Or maybe you'd just stick the new key under the mat? Yep, thought so.

And the old "don't reuse old passwords" just means that the new office standard will be "fuckXX" where XX is the number of times the password has changed (or, depending on where you work, it might be one of the other popular passwords, like "god", or "money").
posted by shepd at 12:17 PM on February 27, 2006

Best answer: "Is there a default starting point for IT security wonks?"

Microsoft has a couple write ups: NT4 days and some MVP

They also have a big white paper on minimum password recommendations when running AD but I'm unable to find it.

eriko writes "Don't expire. As a matter of fact, let them write them down -- as long as they treat that piece of paper as the important piece of paper it is. The rule I use is 'That piece of paper is a $50 bill. Would you leave it lying on your desk?'"

The only problem with this is people share their password. When nameless middle manager replaces his secretary it gives IT a warm feeling to know the window of opportunity for abuse with his password is limited to the expiration period.
posted by Mitheral at 1:00 PM on February 27, 2006

There have been AskMe threads on password strategies, but I'm to lazy to search. I teach users to use a magic word or phrase, like infinitesummer, and add numbers, like infinitesum09mer. The number can be incremented. The number can be changed for different networks. The only thing the user needs to put on the monitor is the stickie that says 9. Longer passwords are a lot more secure, but not that much more of a pain to type.

Expiring passwords gets rid of account access where the department may not let you know a straff member has departed, or is on leave.
posted by theora55 at 1:41 PM on February 27, 2006

In the NSA Security Configuration Guides.

In the guide itself they recommend 42 days for high security, but in the security template it is defined as 90 days.
I think changing passwords more often than 90 days is a hassle.
posted by Sharcho at 1:41 PM on February 27, 2006

I agree with everything said, and let me add that instead of time-frame determined password changes -- move it to emplolyee changes within a department, such as the situation Mitheral describes. Whenever an employee leaves a position within a department (workgroup, whatever the buzz word for small organizational unit is) make everyone in that department change their password, this is fairly easy to setup within group policy. I always like the "full name of the girl you lost your virginity to plus the year it happened", so for me it'd be like "katemoss95" -- I see it as less dictionary-hackable and incredibly personal. It also keeps people from sharing passwords and keeps passwords very unique. You might want to corporatize and gender-neutralize the language though.
posted by geoff. at 2:27 PM on February 27, 2006 [1 favorite]

The worst 'insecure expiring password' I've ever heard of was from a guy who worked at a company where they were required to change their passwords on the first day of each month. He just changed the password to 'january', 'february', and so on.

So, yeah. 'Never expire' isn't the standard, but if you ask me, it should be.
posted by reklaw at 2:48 PM on February 27, 2006

Response by poster: Thanks so much, everyone. Even without a definitive answer, y'all have helped clarify some thinking. I agree that too-frequent changes encourage weak passwords, but I also think "never expire" is a security strategy I'd be hard pressed to justify.

Poppo's link to the NIST guides led me to SP 800-68 on XP configuration recommendations from October 2005, one of the more current references, that recommends a maximum password age of 90 days, which certainly means no longer, but it could be shorter. Hey, it's a start.

There's a lot of good reading via your links and the sites further referenced. It seems, though, that "it depends" is the official answer. Ah well. If it was all in one big book somewhere, you wouldn't need people at all!
posted by pzarquon at 5:55 PM on February 27, 2006

Argh. For the record, it's "Schneier."

I know this. I've got a name people foul up all the time (though, in my case, it is because they think they know how to spell it.)

It was early, I wasn't fully caffinated. That's my excuse.
posted by eriko at 7:21 PM on February 27, 2006

Cray Drygu... you're not FORCING the people to take someone else's account and password and keep the same account and password the same. They have the option to change the password (in fact, it should force them to set a new password ONE TIME) and one would HOPE they have their own private username. :-) Think of it like an apartment which gives you the freedom to install your own lock when you move in.

But, if I were back where I was changing my password every 90 days, I love reklaw's idea. To comply with your security, I'd change it in january to january2006. And then march2006, etc, etc. And, with that mentioned, I wonder how many staff where I worked actually did that for real. I bet the number was pretty high.

[Did I mention that during that regime of working password support... I forgot MY OWN password during one of the hundreds of password changes I had to do? Lucky for me I worked password support with more than one person. Yes, more than one person for a single college... on password support... over 30 day password changing policies. *sigh*]
posted by shepd at 9:29 AM on February 28, 2006

« Older Router blind to working IP phone?   |   Cell phone home base with ringer? Newer »
This thread is closed to new comments.