Ask HN: Do password reset policies really prevent security issues?

3 points by beams_of_light ↗ HN
Per the title, I'm curious if the security-minded folks amongst us feel that forced password resets (particularly on Windows hosts) make a real difference. I understand it's not a philosophy that will change, as it's the stuff of baseline security, but am curious as to whether or not its value is perceived as high.

2 comments

[ 2.5 ms ] story [ 16.6 ms ] thread
There was a widely-circulated study a few years ago that showed that those policies result in lower security.

The advantage of a forced reset is this: if your password has been stolen but not yet used, then you're locking the thief out.

The disadvantage is this: the greater password strength that is required and the more times someone has to come up with a new password, the more often they'll take shortcuts. Those shortcuts result in easier brute-force or heuristic attacks.

So if you look at the advantage, it's very small and potentially non-existent. It's rare to steal a password from a high-value target and then sit on it, especially for as long as a few months.

Looking at the disadvantage, it's actually very high, and it makes it easier to steal passwords in the first place.

I figured that might be the case. Would it help to have password reset policies in the time frames of years, I wonder? A stolen password might be used inconspicuously for some time. I'd prefer two-factor became more ubiquitous.