Skip to content

Instantly share code, notes, and snippets.

@m33x
Created May 3, 2019 09:46
Show Gist options
  • Save m33x/3427dda93584f7c758499e807d7555c4 to your computer and use it in GitHub Desktop.
Save m33x/3427dda93584f7c758499e807d7555c4 to your computer and use it in GitHub Desktop.
On Password Expiration - Or why the BSI needs to act now!
# Some Standards Bodies (as of May 2019)
### Pro Password Expiration
- PCI DSS (Visa, Mastercard), BSI (DE)
### Contra Password Expiration
- Academia, NIST (USA), NCSC (UK)
# Some recent research and comments on the negative consequences of enforcing password expiration
2010 - Where Do Security Policies Come From?
https://cups.cs.cmu.edu/soups/2010/proceedings/a10_florencio.pdf
2010 - The True Cost of Unusable Password Policies: Password Use in the Wild
https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf
2010 - The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis
http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf
2014 - United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study
https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf
2015 - Quantifying the Security Advantage of Password Expiration Policies
http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
2015 - Why we hate IT: Two surveys on pre‐generated and expiring passwords in an academic setting
https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1184
2016 - The Problems with Forcing Regular Password Expiry
https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry
2016 - Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
2016 - Revisiting Password Rules: Facilitating Human Management of Passwords
http://people.scs.carleton.ca/~paulv/papers/eCrime2016pwdrules.pdf
2018 - User Behaviors and Attitudes Under Password Expiration Policies
https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-password.pdf
# Some related sources showing that users will change their passwords in very predictable ways
2014 - The Tangled Web of Password Reuse
http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf
2016 - Targeted Online Password Guessing: An Underestimated Threat
http://wangdingg.weebly.com/uploads/2/0/3/6/20366987/ccs16_final_v12.pdf
2016 - Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-wash.pdf
2018 - “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications
https://www.mobsec.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2018/09/10/ccsf266-finalv1.pdf
2018 - Abusing Password Reuse at Scale: Bcrypt and Beyond
https://www.youtube.com/watch?v=5su3_Py8iMQ
2018 - Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis
http://faculty.cs.tamu.edu/guofei/paper/PasswordReuse-TDSC.pdf
2019 - Beyond Credential Stuffing: Password Similarity Models using Neural Networks
https://www.cs.cornell.edu/~rahul/papers/ppsm.pdf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment