#infosec

Over the last couple of years there have been numerous debates on whether it is a good idea to get rid of password expiration. The arguments against password expiration are usually variations of the below:

Forcing users to change their passwords on a regular basis leads to widespread use of weak passwords. Frequent password changes in many systems lead to password re-use (aka user is using the same password everywhere) Putting the burden of security on the user is wrong, technology should do the heavy lifting. What is interesting about most of the conversations I read, is that they seem to ignore all the other password improvements that the advocates for getting rid of password expiration usually cite – When you get rid of password expiration, you are supposed to also do the following:

A. Improve password length significantly (switch from passwords to pass phrases)

B. Get rid of some password complexity requirements (Special characters are really hard to remember!)

C. Introduce a Password Blacklist (e.g. block the word 'password' or its variations like 'p4ssw0rd')

D. Monitor your user accounts for leaked credentials and force password changes once you detect a leaked credential!

Now, A,B,C are really easy to deliver – You can just install and configure some tech, which will do the job for you. It is pretty much a set and forget kind of thing to implement. However, D is a completely different beast – See the paragraphs below.