CSC 379 SUM2008:Week 3, Group 3
Costs and Benefits Password Regulations
“Best practices” sometimes seem to take on a life of their own, independent of any recent assessment of their costs and benefits. An example is password policies; maximum length, restrictions on characters that can be used, and password-change frequency. Evaluate these popular password regulations. Do they provide adequate benefits for costs incurred? What ethical considerations do poorly evaluated “best practices” raise? Do policy-makers have an ethical responsibility to evaluate “best practices” before adopted? A responsibility to re-evaluate existing practices?
Cite specific evidence in your cost/benefit analysis from quality sources (professional/academic journals preferred).
- http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1013839
- http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1588836
- http://portal.acm.org/citation.cfm?id=322796.322806
- http://portal.acm.org/citation.cfm?id=581370
- http://portal.acm.org/citation.cfm?id=986664
"Best Practices" Research
Policies
Password Length
Character Restriction
Password Change Frequency
Policies for major corporations usually require that employees change their password after a certain period of time. Typically, this time frame may be from 90 days to 6 months. The requirement to change your password at certain time intervals limits the amount of time a hacker has to break your current password. In addition, if a hacker has retrieved your password, they only have a limited amount of time to access it before your password is changed. The later reason can be considered quite useless as it only takes a hacker minutes or, at the most, hours to retrieve the information they are looking for.
A major downside to the policy of requiring changing a password after a certain amount of time is the fact that most users will simply change it to the old address anyway, thus nullifying any benefit that could be gained from changing you password frequently. There are few studies on whether changing your password after a certain amount of time has actually increased security. Also, employees do not want to waste time changing their password frequently and must be reminded. This requires unnecessary resources devoted to a practice that the user probably won't follow anyhow.
There was no easily available evidence that any benefit has been gained from adopting this policy.
Password History Restriction
Some companies have begun to adopt what are called password history restrictions. With this policy, when a user is required to change their password after a certain amount of time; they are constricted from using a certain number of previous passwords. Typically, this may range from just one previous password, all the way to five. The goal of this policy is to prevent the use of the same password over and over that hackers have been trying to brute force hack. If a user is required to change their password over time intervals, there is no incentive for security improvements if the user just keeps putting down the same password.
A major downfall of this policy is that the more previous passwords the user can not use, the more inclined the user is to simply write that password down. Trying to remember what one to five passwords a user used for even just one account is overly tedious to the user and waste company resources for the user to keep track of making and remembering an updated password.
There are no easily available research to prove that there are any real security benefits from adopting this policy. In addition, there is also no research to prove how much users will write down passwords and to what password history restriction limit would drive them to write down passwords.