Password change time frames
We have implemented a password management tool which has allowed us to set several password strengthening policies. We also have the lockout parameter set on all accounts so that an account is locked after three failed attempts. We don't allow users to re-use a password within a year's time. We also have a fairly good security awareness program, which among other things regularly educates users on the risk of choosing a weak password.
We have been getting feedback from our Help Desk area that password issues are one of their top call volumes. We have kicked around the idea of moving from a 30-day expiration to a 60 or 90-day expiration to try to reduce the number of Help Desk calls for password issues. What are the down sides to this approach?
I think the "downsides" are going to be that your help desk team and your end users are going to end up being more productive. There is a certain amount of risk involved with not changing passwords periodically in that an account could be brute-forced or dictionary-attacked in between password changes. However, with the time-memory trade-off utilized by RainbowCrack
, Proactive Password Auditor, etc. it's essentially a moot point. Rainbow tables (pre-calculated password hashes) enable the cracking of passwords in very short periods of time. I recommend requiring password changes every 6 months or one year at the most. As long as there's no reason to suspect password compromise, I don't think it's good for business to do it any more often.
View questions and answers from all of our Windows security experts here.
This was first published in May 2006