Bruce K. Marshall delivered this great presentation discussing the history, research, and his thoughts on the “best practices” for password expiration at the Passwords 14 conference earlier this month in Las Vegas, NV. From the abstract – “Forcing users to regularly change passwords has become a standard practice for corporate networks and some web sites. But does it it actually improve security or lead to more guessable passwords?”
Although Bruce offers no concrete conclusions on if we should keep or do away with password expirations, it’s worth a watch for a lot of great historical references (e.g., green book of the original DoD Rainbow series) and a nice consolidation of research on both sites of the argument from the past 20 years. The general feel I took away from the presentation is that we need to either do away with password expirations or extend them to be much longer (e.g., a year or more) due to human factors. And if you have data so sensitive that you should change passwords more often, two-factor authentication should be used instead. But of course I’ll caveat this gut feel with the two most despised words in infosec – “it depends.”
Know of good videos we should feature? Let us know in the comments below. Today’s post pic is from TheInquirer.net. See ya!