[cryptography] Password non-similarity?

Kevin W. Wall kevin.w.wall at gmail.com
Tue Jan 3 21:41:26 EST 2012

On Tue, Jan 3, 2012 at 8:07 PM,  <dan at geer.org> wrote:
>  > So I would conjecture, at least in cases like this where users only
>  > login infrequently, that the password change policy every N days
>  > be done away with, or at the very least, we make N something
>  > reasonably long, like 365 or more days.
> Kevin, are you suggesting a "50 uses and change it" rule?

Well, in the cases where users login infrequently, such their telco
or wireless carrier where users only login once a month to pay their bill,
I think that makes more sense than requiring them to changing it
every 90 days or so. Very few people are going to be able to memorize
their password when they only use it once a month and you make them
change it every 3 months (3 tries). In such cases, you could get almost
the same affect by making the change period very long. For instance,
instead of requiring a password change every 90 days, make them
change it once every 2 years. And if you do that by uses instead of
by days, it makes it a LOT easier / more relevant to warn them that
they have a password change coming up so it won't take them by
surprise. IMO, that's another reason why people have such a problem
logging it. We have a policy something like warn the user 10 days in
advance that their password is going to change, but they only log in
every 30 days, so at the end of those (say) 90 days, they are surprised
by "Your password has expired. Please change it." message. Not only
do they not get a chance to think of a decent password that they can
remember, but they may not be prepared to safely record it. (For example,
maybe they use something like PasswordSafe to store it, but it's on
a USB flash drive that they don't happen to have a the moment b/c you've
taken them by surprise.) If instead, they could be greeted by a message
something like "You have 2 more uses of your current password allowed.
Would you like to change it now?" then they are not going to be hit
out of the blue that their password has expired. Unlike warnings that
are based on time (D days before password is scheduled to expire)
that the user might never see, at least they would always see these
warnings. Hopefully less surprise means better, stronger passwords.

I don't think this is suitable for everything though. For example, if you
use Active Directory passwords inside your corporation for also logging
into lots of different servers, I think time-based expiration would work
better than usage-based expiration there. Otherwise, you'd have some
people that would have to be changing their password every 10 days
and others that would only be changing it every 250 days. There,
employee turnover also probably makes time-based expiration more

Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein

More information about the cryptography mailing list