| >Is that true though? NIST, Microsoft, etc. didn't decide to change their minds (to now explicitly discourage arbitrary expiration) out of the blue. See: https://web.archive.org/web/20180603140100/https://www.cs.un... >Using this framework, we confirm previous conjectures that the effectiveness of expiration in meeting its intended goal is weak. Also see: https://people.scs.carleton.ca/~paulv/papers/expiration-auth... >in sum, these security-specific observations and the results in Section 3 suggest the security benefit of password aging policies are at best partial and minor. Combining this with the well-known and widely experienced (negative) usability impact of password aging policies, and results [18] mentioned earlier on high predictability of new passwords from knowledge of old, the burden appears to shift to those who continue to support password aging policies, to explain why, and in which specific circumstances, a substantiating benefit is evident. And: https://discovery.ucl.ac.uk/id/eprint/20247/2/CACM%20FINAL.p... >Although change regimes are employed to reduce the impact of an undetected security breach, our findings suggest that they reduce the overall password security in an organization. There have been several more, and I'm sure that NIST and others did their own additional analysis prior to changing their recommendations which may not have been made public. |
I'd venture that this 23andMe situation is one of the scenarios where password expiration could have significantly improved the outcome, but I concede that it was a poor example for me to use.