m33x · May 3, 2019 09:46
diff --git a/password_expiration.txt b/password_expiration.txt
 # Some Standards Bodies (as of May 2019)
 ### Pro Password Expiration
 - PCI DSS (Visa, Mastercard), BSI (DE)

 ### Contra Password Expiration
 - Academia, NIST (USA), NCSC (UK)

 # Some recent research and comments on the negative consequences of enforcing password expiration
 2010 - Where Do Security Policies Come From?
 https://cups.cs.cmu.edu/soups/2010/proceedings/a10_florencio.pdf

 2010 - The True Cost of Unusable Password Policies: Password Use in the Wild
 https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf

 2010 - The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis
 http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf

 2014 - United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study
 https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf

 2015 - Quantifying the Security Advantage of Password Expiration Policies
 http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

 2015 - Why we hate IT: Two surveys on pre‐generated and expiring passwords in an academic setting
 https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1184

 2016 - The Problems with Forcing Regular Password Expiry
 https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

 2016 - Time to rethink mandatory password changes
 https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

 2016 - Revisiting Password Rules: Facilitating Human Management of Passwords
 http://people.scs.carleton.ca/~paulv/papers/eCrime2016pwdrules.pdf

 2018 - User Behaviors and Attitudes Under Password Expiration Policies
 https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-password.pdf


 # Some related sources showing that users will change their passwords in very predictable ways

 2014 - The Tangled Web of Password Reuse
 http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf

 2016 - Targeted Online Password Guessing: An Underestimated Threat
 http://wangdingg.weebly.com/uploads/2/0/3/6/20366987/ccs16_final_v12.pdf

 2016 - Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
 https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-wash.pdf

 2018 - “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications
 https://www.mobsec.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2018/09/10/ccsf266-finalv1.pdf

 2018 - Abusing Password Reuse at Scale: Bcrypt and Beyond
 https://www.youtube.com/watch?v=5su3_Py8iMQ

 2018 - Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis
 http://faculty.cs.tamu.edu/guofei/paper/PasswordReuse-TDSC.pdf

 2019 - Beyond Credential Stuffing: Password Similarity Models using Neural Networks
 https://www.cs.cornell.edu/~rahul/papers/ppsm.pdf
	# Some Standards Bodies (as of May 2019)
	### Pro Password Expiration
	- PCI DSS (Visa, Mastercard), BSI (DE)

	### Contra Password Expiration
	- Academia, NIST (USA), NCSC (UK)

	# Some recent research and comments on the negative consequences of enforcing password expiration
	2010 - Where Do Security Policies Come From?
	https://cups.cs.cmu.edu/soups/2010/proceedings/a10_florencio.pdf

	2010 - The True Cost of Unusable Password Policies: Password Use in the Wild
	https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf

	2010 - The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis
	http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf

	2014 - United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study
	https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf

	2015 - Quantifying the Security Advantage of Password Expiration Policies
	http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

	2015 - Why we hate IT: Two surveys on pre‐generated and expiring passwords in an academic setting
	https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1184

	2016 - The Problems with Forcing Regular Password Expiry
	https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry

	2016 - Time to rethink mandatory password changes
	https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

	2016 - Revisiting Password Rules: Facilitating Human Management of Passwords
	http://people.scs.carleton.ca/~paulv/papers/eCrime2016pwdrules.pdf

	2018 - User Behaviors and Attitudes Under Password Expiration Policies
	https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-password.pdf


	# Some related sources showing that users will change their passwords in very predictable ways

	2014 - The Tangled Web of Password Reuse
	http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf

	2016 - Targeted Online Password Guessing: An Underestimated Threat
	http://wangdingg.weebly.com/uploads/2/0/3/6/20366987/ccs16_final_v12.pdf

	2016 - Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
	https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-wash.pdf

	2018 - “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications
	https://www.mobsec.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2018/09/10/ccsf266-finalv1.pdf

	2018 - Abusing Password Reuse at Scale: Bcrypt and Beyond
	https://www.youtube.com/watch?v=5su3_Py8iMQ

	2018 - Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis
	http://faculty.cs.tamu.edu/guofei/paper/PasswordReuse-TDSC.pdf

	2019 - Beyond Credential Stuffing: Password Similarity Models using Neural Networks
	https://www.cs.cornell.edu/~rahul/papers/ppsm.pdf