Problem solve Get help with specific problems with your technologies, process and projects.

Password change time frames

Windows security threats expert Kevin Beaver gives recommendations on how often business should require user password changes.

We have implemented a password management tool which has allowed us to set several password strengthening policies. We also have the lockout parameter set on all accounts so that an account is locked after three failed attempts. We don't allow users to re-use a password within a year's time. We also have a fairly good security awareness program, which among other things regularly educates users on the risk of choosing a weak password.

We have been getting feedback from our Help Desk area that password issues are one of their top call volumes. We have kicked around the idea of moving from a 30-day expiration to a 60 or 90-day expiration to try to reduce the number of Help Desk calls for password issues. What are the down sides to this approach?

I think the "downsides" are going to be that your help desk team and your end users are going to end up being more productive. There is a certain amount of risk involved with not changing passwords periodically in that an account could be brute-forced or dictionary-attacked in between password changes. However, with the time-memory trade-off utilized by RainbowCrack, Ophcrack, Proactive Password Auditor, etc. it's essentially a moot point. Rainbow tables (pre-calculated password hashes) enable the cracking of passwords in very short periods of time. I recommend requiring password changes every 6 months or one year at the most. As long as there's no reason to suspect password compromise, I don't think it's good for business to do it any more often.

View questions and answers from all of our Windows security experts here.

This was last published in May 2006

Dig Deeper on User passwords and network permissions

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.