In application security, should users be required to change passwords on a schedule?
I do not require passwords to be changed on a schedule in my application for a simple reason: it makes remembering passwords harde开发者_如何学Cr and is thus more likely to lead people to write them down somewhere or otherwise use an unsafe memory aid.
What arguments are there to the contrary? Why would forcing someone to change a password that no one else knows make it more secure?
Note: since this is open to opinion and debate, I'm marking it as a community wiki. It is, however, centrally a technology concern so I think it reasonable to post here.
How do you know no-one else knows it? The risk is not so much when you realise someone else knows your password, its when you assume no one else knows it, but they do.
The principle is that it limits the exposure period if a password is compromised.
If that compromised password can float around for ever, then the systme is compromised for ever.
By forcing password changes every 30/90 days, to a password that hasn't been used before, you are ensuring that if a password is compromised, it will be secure again no later than that period.
That being said - I hate it when I have to change my password after 30 days, and even when it was increased to 90 days still hated it.
If it takes my password-guessing program 90 days to figure out one of your passwords, you probably want to make sure that your users change them at least once every 90 days.
To tighten the security of your system there should be a couple of other settings. For example how strong password should be (alphanumerical, both cases, special symbols) or that new password should not be identical to 2(3,4,n) previous passwords.
If you had the money, you could go for a two-factor solution such as a SecureID, then your weakness of long password life is mostly mitigated against. If SecureID is too costly of a solution, there is also YubiKey, which has several client libraries in various languages to assist in integrating into your applications.
Though to answer your question directly, from a business point of view, the best reason to force users to periodically change passwords is to comply with any appropriate legislation, regulations, contractual obligations, etc.. e.g. PCI Data Security Standard for those involved with credit cards. The financial implications of not following their requirements can devastate a company.
The answer to your question depends on the sensitivity of the information your application contains. The more sensitive, the higher the security level you should provide.
Obviously, more security usually leads to a decrease in usability. You and your client need to balance the factors and then look for a technical solution.
精彩评论