Skip to content

Instantly share code, notes, and snippets.

@technion
Last active October 15, 2024 09:39
Show Gist options
  • Save technion/65c652194fb1427e6828ea23ff46d280 to your computer and use it in GitHub Desktop.
Save technion/65c652194fb1427e6828ea23ff46d280 to your computer and use it in GitHub Desktop.
A set of references on modern password policies

References on modern password policies

Below links provide source, reference link and relevant quote

Standards

NIST

https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticators.md

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Major organisations

Australian Signals Directorate

https://www.asd.gov.au/publications/protect/Passphrase_Requirements.pdf

ASD encourages the use of longer passphrases without complexity ... ASD also encourages system owners to consider whether passphrases need to expire or not

Australian Government

You shouldn’t change your passwords often, such as every month, as this leads to poor passwords https://www.servicesaustralia.gov.au/individuals/subjects/how-protect-against-scams/personal-information-security

Microsoft Guidelines

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

Password expiration policies do more harm than good

https://support.office.com/en-us/article/Password-policy-recommendations-for-Office-365-9fa2539a-2211-41fd-85a0-bc37b9619ca4

Password guidelines for administrators... Don't require mandatory periodic password resets for user accounts

Australian Government

https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords

Stop frequently changing passwords, for example each month, as it leads to poor passwords being created

Australian Cyber Security Center

https://www.acsc.gov.au/publications/protect/passphrase-requirements.htm

ACSC recommends they be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement

Government of Canada

https://www.canada.ca/en/government/system/digital-government/password-guidance.html#toc3

Favour length over complexity. Eliminate password expiry.

UK National Cyber Security Centre

https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry

The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords

UK Information Commissioner's Office

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/

As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a personal data breach.

European Union Agency for Cybersecurity

https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/authentication-methods

Use long passwords. Do not force users to mix and match different types of character sets.

US FTC

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.

SANS Institute

https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die

changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization

https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy

Passwords should be changed only when there is reason to believe a password has been compromised

Gartner

Best Practices for Managing Passwords: Policies Must Balance Risk, Compliance and Usability Needs

Password Aging Is Widely Advocated but Rarely Worthwhile

Password Aging Can Burden an Already-Weak Authentication Method

Password aging is commonly advocated as a necessary standard; however, it is difficult to identify cases in which it has improved the level of security or prevented an incident. In many cases, it can induce user behaviors that may actually create security risks.

Academic Research

Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.

http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

In sum ... the burden appears to shift to those who continue to support password aging policies, to explain why

Yinqian Zhang, Fabian Monrose, and Michael K Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), 2010

Using this framework, we confirm previous conjectures that the effectiveness of expiration inmeeting its intended goal is weak

Security Experts

Bill Burr - original designer of password rotation policies

https://www.engadget.com/2017/08/08/nist-new-password-guidelines/

Much of what I did I now regret

Troy Hunt

https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

forcibly rotating passwords is a modern-day security anti-pattern

@jpayoung
Copy link

jpayoung commented May 2, 2024

@jpayoung
Copy link

jpayoung commented May 2, 2024

@technion would you be okay if I fork / port this to a repo which others can contribute to? (Or if you have one already, I'll contribute there). Cheers!

@technion
Copy link
Author

technion commented May 4, 2024

You're most welcome to fork this. Hopefully you'll have better luck than I've had in convincing people what a modern best practice looks like.

@jpayoung
Copy link

jpayoung commented May 4, 2024

We'll see! Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment