Ask the Expert

Password change time frames

We have implemented a password management tool which has allowed us to set several password strengthening policies. We also have the lockout parameter set on all accounts so that an account is locked after three failed attempts. We don't allow users to re-use a password within a year's time. We also have a fairly good security awareness program, which among other things regularly educates users on the risk of choosing a weak password.

We have been getting feedback from our Help Desk area that password issues are one of their top call volumes. We have kicked around the idea of moving from a 30-day expiration to a 60 or 90-day expiration to try to reduce the number of Help Desk calls for password issues. What are the down sides to this approach?

I think the "downsides" are going to be that your help desk team and your end users are going to end up being more productive. There is a certain amount of risk involved with not changing passwords periodically in that an account could be brute-forced or dictionary-attacked in between password changes. However, with the time-memory trade-off utilized by RainbowCrack, Ophcrack, Proactive Password Auditor, etc. it's essentially a moot point. Rainbow tables (pre-calculated password hashes) enable the cracking of passwords in very short periods of time. I recommend requiring password changes every 6 months or one year at the most. As long as there's no reason to suspect password compromise, I don't think it's good for business to do it any more often.

View questions and answers from all of our Windows security experts here.

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: