Re: About password expiration and change policies...

[Von Welch <von () VONWELCH COM>]

Spaf,

 I agree with the conclusions of your analysis, but unfortunately I think this whole debate is unlikely to progress due 
to a lack of hard data, we’re all just butting opinions and antedotes (and that's before we consider the usability 
trade-offs.)

 And data seems really difficult to get - any longitudinal study I’ve thought of has so many variables in play I’m not 
how useful the results would be. Cormac’s done the best I’ve seen, but I still don’t think it’s conclusive enough. 
(BTW, IU recently changed from a no-change to a regular-change password policy if someone has a good idea on how to 
measure that impact.)

Von

On Apr 2, 2014, at 10:08 PM, Gene Spafford <spaf () CERIAS PURDUE EDU> wrote:

> Here's something I wrote almost exactly 8 years ago about password expiration policies.  A few of you may remember 
> it.  I used to include this in my lectures at CSI and SANS courses in the 90s.
>
> https://www.cerias.purdue.edu/site/blog/post/password-change-myths/