Skip to main content

The security of modern password expiration: An algorithmic framework and empirical analysis

Publication ,  Conference
Zhang, Y; Monrose, F; Reiter, MK
Published in: Proceedings of the ACM Conference on Computer and Communications Security
December 16, 2010

This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we assess the extent to which passwords that users choose to replace expired ones pose an obstacle to the attacker's continued access. We develop a framework by which an attacker can search for a user's new password from an old one, and design an efficient algorithm to build an approximately optimal search strategy. We then use this strategy to measure the difficulty of breaking newly chosen passwords from old ones. We believe our study calls into question the merit of continuing the practice of password expiration. Copyright 2010 ACM.

Duke Scholars

Altmetric Attention Stats
Dimensions Citation Stats

Published In

Proceedings of the ACM Conference on Computer and Communications Security

DOI

ISSN

1543-7221

Publication Date

December 16, 2010

Start / End Page

176 / 186
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Zhang, Y., Monrose, F., & Reiter, M. K. (2010). The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the ACM Conference on Computer and Communications Security (pp. 176–186). https://doi.org/10.1145/1866307.1866328
Zhang, Y., F. Monrose, and M. K. Reiter. “The security of modern password expiration: An algorithmic framework and empirical analysis.” In Proceedings of the ACM Conference on Computer and Communications Security, 176–86, 2010. https://doi.org/10.1145/1866307.1866328.
Zhang Y, Monrose F, Reiter MK. The security of modern password expiration: An algorithmic framework and empirical analysis. In: Proceedings of the ACM Conference on Computer and Communications Security. 2010. p. 176–86.
Zhang, Y., et al. “The security of modern password expiration: An algorithmic framework and empirical analysis.” Proceedings of the ACM Conference on Computer and Communications Security, 2010, pp. 176–86. Scopus, doi:10.1145/1866307.1866328.
Zhang Y, Monrose F, Reiter MK. The security of modern password expiration: An algorithmic framework and empirical analysis. Proceedings of the ACM Conference on Computer and Communications Security. 2010. p. 176–186.

Published In

Proceedings of the ACM Conference on Computer and Communications Security

DOI

ISSN

1543-7221

Publication Date

December 16, 2010

Start / End Page

176 / 186