research on password expiration practice

[Gadi Evron <ge () linuxbox org>]

http://www.cs.unc.edu/~yinqian/papers/PasswordExpire.pdf

In this projects, we conducted the first large-scale study of
the success of password expiration in meeting its intended purpose,
namely revoking access to an account by an attacker who has captured
the account's password. Using a dataset of over 7700 accounts, we
assess the extent to which passwords that users choose to replace
expired ones pose an obstacle to the attacker's continued access. We
develop a framework by which an attacker can search for a user's new
password from an old one, and design an efficient algorithm to build
an approximately optimal search strategy. We then use this strategy
to measure the difficulty of breaking newly chosen passwords from
old ones. We believe our study calls into question the merit of
continuing the practice of password expiration.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.