I see mandatory password changes on a fixed interval as a sop to security without any actual value, and with the potential of negative value.
Changing passwords on a fixed interval was created as a policy when it was calculated that brute-forcing a login would take 60 days with then-current hardware, no matter how complex the password, within then-current complexity rules.
It functionally became obsolete the moment security also included "three tries and then lockout" type rules.
If you don't have lockout rules, then yes, changing the password with some frequency has some slight value. Maybe.
Since its whole purpose is to block brute-forcing attempts, imagine this scenario:
The brute-force system starts with "" and works its way through the ASCII sequence, incrementing by one each time, ignoring characters like line-feed, just letters, numbers and punctuation, adding a new character at the end of the string each time it completes a cycle. Thus, a 6-digit password would be approximately 600-billion combinations (92 possible characters), and 8 would be just over 5 quadrillion combinations.
Now, assume a botnet with 10,000 computers in it, most with 2 core Intel CPUs (these days), with an average computing power available to the botnet of (arbitrarily chosen) 1-million computations per second. 5-quadrillion combinations divided by 20-billion/second = 250 seconds. Better have more than 8 characters in your password! 10 makes it 2-million seconds to brute force, which is just about 588 hours, or 24 1/2 days. 12 digit password makes it about 207-thousand days, which is centuries, so they'll need a much bigger botnet for that. (11 digit is 2,254 days approx.)
So, 10 digits isn't enough to block a reasonably sized botnet attack in under 30 days (the shortest usual password expiration interval). 10,000 computers is a pretty usual size for a botnet these days. Some include hundreds of thousands. None that I've read about have hit the million pc mark, yet.
Now, imagine this scenario: Fifteen years from now, a 10-million pc botnet with (usual doubling rules) 1024 times as much processing power as modern pcs, attacking your password that you never change. The brute-force attack would succeed in days rather than months, even on a 12-digit password, except for the minor detail that the account locks out after 3 attempts. So, a microscopic fraction of a second passes, and the account gets locked out. Make it a 100-million pc botnet, and it's just a smaller fraction of a second before lockout.
Even with just a six character password and a six character username, the odds of hitting a valid combination of the two within three tries approaches zero. Doesn't matter how much computing power you throw at it, if it only allows three tries.
So, frequent password expiration is obsolete and is merely the attempt to feel more secure without the actuality.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon