Research and recommendations on modern password policies
This is a collection of academic research papers and recommendations from information security professionals on the topic of password policies and use of passwords in computer systems.
Standards bodies
NIST
https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticators.md
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
NIST 800-63b draft revision 4
In the current draft of the new revision for this standard, composition rules is upgraded from SHOULD NOT to SHALL NOT: Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
The entirety of section 3. Authenticator and Verifier Requirements has been improved with a breakdown of rules and classifications for regular passwords, one-time passcodes (OTP), session secrets, etc.
Major organisations
Australian Signals Directorate
https://www.asd.gov.au/publications/protect/Passphrase_Requirements.pdf
ASD encourages the use of longer passphrases without complexity … ASD also encourages system owners to consider whether passphrases need to expire or not
Microsoft Guidelines
Password expiration policies do more harm than good
Password guidelines for administrators… Don’t require mandatory periodic password resets for user accounts
Australian Government
https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords
Stop frequently changing passwords, for example each month, as it leads to poor passwords being created
Australian Cyber Security Center
https://www.acsc.gov.au/publications/protect/passphrase-requirements.htm
ACSC recommends they be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement
Government of Canada
https://www.canada.ca/en/government/system/digital-government/password-guidance.html#toc3
Favour length over complexity. Eliminate password expiry.
UK National Cyber Security Centre
https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords
UK Information Commissioner’s Office
As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a personal data breach.
European Union Agency for Cybersecurity
https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/authentication-methods
Use long passwords. Do not force users to mix and match different types of character sets.
US FTC
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.
SANS Institute
https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die
changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization
https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy
Passwords should be changed only when there is reason to believe a password has been compromised
FBI
Instead of using a short, complex password that is hard to remember, consider using a longer passphrase.
Academic Research
Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.
http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
In sum … the burden appears to shift to those who continue to support password aging policies, to explain why
Yinqian Zhang, Fabian Monrose, and Michael K Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), 2010
Using this framework, we confirm previous conjectures that the effectiveness of expiration in meeting its intended goal is weak
Koppel R, Smith S, Blythe J, Kothari V. Workarounds to computer access in healthcare organizations: you want my password or a dead patient? Stud Health Technol Inform. 2015;208:215-20. PMID: 25676976.
https://www.cs.dartmouth.edu/~sws/pubs/ksbk15-draft.pdf
Standard accepted practices for strong password hygiene can be non-existent in healthcare—the US Inspection General notes that NIST will certify EHR systems as secure even if passwords are only one-character long [13]. However, it’s not clear that stronger password requirements yield better security. A medical informatics officer lamented that “routine password expiry…forces everyone to write down their password.”
Expiry can also directly impact patient care: one physician colleague lamented that a practice may require a physician to do rounds at a hospital monthly—but that unfortunate expiration intervals can force the physician to spend as long at the help desk resetting an expired password as he or she then spends treating patients.
Security Experts
Bill Burr - original designer of password rotation policies
https://www.engadget.com/2017/08/08/nist-new-password-guidelines/
Much of what I did I now regret
Troy Hunt
https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
Forcibly rotating passwords is a modern-day security anti-pattern