|
|
|
|
|
|
by Rudism
891 days ago
|
|
|
Is that true though? I agree they're annoying and in an ideal world where users don't reuse passwords or leaked hashes can't be broken they'd be pointless--but in this case I think it certainly would have protected at least some of the accounts that were reusing breached passwords. Is there actual evidence/research that proves password rotation has no effect on security in the event of breaches? |
|
|
NIST, Microsoft, etc. didn't decide to change their minds (to now explicitly discourage arbitrary expiration) out of the blue.
See:
https://web.archive.org/web/20180603140100/https://www.cs.un...
>Using this framework, we confirm previous conjectures that the effectiveness of expiration in meeting its intended goal is weak.
Also see:
https://people.scs.carleton.ca/~paulv/papers/expiration-auth...
>in sum, these security-specific observations and the results in Section 3 suggest the security benefit of password aging policies are at best partial and minor. Combining this with the well-known and widely experienced (negative) usability impact of password aging policies, and results [18] mentioned earlier on high predictability of new passwords from knowledge of old, the burden appears to shift to those who continue to support password aging policies, to explain why, and in which specific circumstances, a substantiating benefit is evident.
And:
https://discovery.ucl.ac.uk/id/eprint/20247/2/CACM%20FINAL.p...
>Although change regimes are employed to reduce the impact of an undetected security breach, our findings suggest that they reduce the overall password security in an organization.
There have been several more, and I'm sure that NIST and others did their own additional analysis prior to changing their recommendations which may not have been made public.