A truly great question came up the other day.
change passwords every 90 days? What is the threat scenario countered
by that policy?"
Of course strong password policy
means constantly changing passwords. Right?
I started to think about it. What -- actually -- does a password
change protect you against?
The answer, it
appears, is nothing. Changing passwords is largely a waste of time and
money. I suppose that a password change prevents further abuse of the
account. But generally, the abuse is not ongoing. Once in to a system,
the trick is to create an additional privileged account that does not
belong to any real user; all the password changes in the world have no
This post is spot-on: "Password rules:
Change them every 25 years
In short, there's
no threat that's actually countered by changing passwords. However,
it's on everyone's checklist.
The comments on this post are
helpful also. Most people agree that password changes do not have any
possible impact on security. Except that it gives security managers a
chance to improve the rules and enforce everyone to change their
passwords to meet the new rules.
One comment that's interesting is
You've made two assumptions: 1)
all password thieves will give up after a few tries in the case of
brute-force attack, and 2) all thieves will give up after a few tries in
the case of dictionary attacks.
This misses the
point entirely. These two assumptions are not overlooked by
this posting. They're not part of it at all. None of this is based on
password thieves giving up.
password does not materially impact the thieves' ability to crack a
password. Phishing, and Key Logging always work, no matter how often
the password is changed.
A dictionary attack
is trivially defeated by disabling the account after a few failures.
Changing the password is of no relevance at all.
rainbow table to undo a hashed password is defeated by using long salt
strings with the hash. Changing passwords every 90 days has nothing to
do with this, either.