Password change time frames

Windows security threats expert Kevin Beaver gives recommendations on how often business should require user password changes.

We have implemented a password management tool which has allowed us to set several password strengthening policies. We also have the lockout parameter set on all accounts so that an account is locked after three failed attempts. We don't allow users to re-use a password within a year's time. We also have a fairly good security awareness program, which among other things regularly educates users on the risk of choosing a weak password.

We have been getting feedback from our Help Desk area that password issues are one of their top call volumes. We have kicked around the idea of moving from a 30-day expiration to a 60 or 90-day expiration to try to reduce the number of Help Desk calls for password issues. What are the down sides to this approach?

I think the "downsides" are going to be that your help desk team and your end users are going to end up being more productive. There is a certain amount of risk involved with not changing passwords periodically in that an account could be brute-forced or dictionary-attacked in between password changes. However, with the time-memory trade-off utilized by RainbowCrack, Ophcrack, Proactive Password Auditor, etc. it's essentially a moot point. Rainbow tables (pre-calculated password hashes) enable the cracking of passwords in very short periods of time. I recommend requiring password changes every 6 months or one year at the most. As long as there's no reason to suspect password compromise, I don't think it's good for business to do it any more often.

View questions and answers from all of our Windows security experts here.

This was first published in May 2006

Dig Deeper on User passwords and network permissions



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: