We are happy to announce that our journal paper, Quantifying the Security Advantage of Password Expiration Policies, will appear in an upcoming issue of Springer’s Designs, Codes and Cryptography. A pre-print authors’ copy is available on our publications page.
The abstract of the paper is as follows:
Many security policies force users to change passwords within fixed intervals, with the apparent justification that this improves overall security. However, the implied security benefit has never been explicitly quantified. In this note, we quantify the security advantage of a password expiration policy, finding that the optimal benefit is relatively minor at best, and at worst questionable in light of overall costs.