CSC 379 SUM2008:Week 3, Group 3
Costs and Benefits Password Regulations
“Best practices” sometimes seem to take on a life of their own, independent of any recent assessment of their costs and benefits. An example is password policies; maximum length, restrictions on characters that can be used, and password-change frequency. Evaluate these popular password regulations. Do they provide adequate benefits for costs incurred? What ethical considerations do poorly evaluated “best practices” raise? Do policy-makers have an ethical responsibility to evaluate “best practices” before adopted? A responsibility to re-evaluate existing practices?
Cite specific evidence in your cost/benefit analysis from quality sources (professional/academic journals preferred).
- http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1013839
- http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1588836
- http://portal.acm.org/citation.cfm?id=322796.322806
- http://portal.acm.org/citation.cfm?id=581370
- http://portal.acm.org/citation.cfm?id=986664
"Best Practices" Research
Policies
Password Length
Character Restriction
Password Change Frequency
Policies for major corporations usually require that employees change their password after a certain period of time. Typically, this time frame may be from 90 days to 6 months. The requirement to change your password at certain time intervals limits the amount of time a hacker has to break your current password. In addition, if a hacker has retrieved your password, they only have a limited amount of time to access it before your password is changed. The later reason can be considered quite useless as it only takes a hacker minutes or, at the most, hours to retrieve the information they are looking for.
A major downside to the policy of requiring changing a password after a certain amount of time is the fact that most users will simply change it to the old address anyway, thus nullifying any benefit that could be gained from changing you password frequently. There are few studies on whether changing your password after a certain amount of time has actually increased security. Also, employees do not want to waste time changing their password frequently and must be reminded. This requires unnecessary resources devoted to a practice that the user probably won't follow anyhow.
There was no easily available evidence that any benefit has been gained from adopting this policy.