Created
May 3, 2019 09:46
-
-
Save m33x/3427dda93584f7c758499e807d7555c4 to your computer and use it in GitHub Desktop.
Revisions
-
m33x created this gist
May 3, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,61 @@ # Some Standards Bodies (as of May 2019) ### Pro Password Expiration - PCI DSS (Visa, Mastercard), BSI (DE) ### Contra Password Expiration - Academia, NIST (USA), NCSC (UK) # Some recent research and comments on the negative consequences of enforcing password expiration 2010 - Where Do Security Policies Come From? https://cups.cs.cmu.edu/soups/2010/proceedings/a10_florencio.pdf 2010 - The True Cost of Unusable Password Policies: Password Use in the Wild https://www.cl.cam.ac.uk/~rja14/shb10/angela2.pdf 2010 - The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis http://cs.unc.edu/~fabian/papers/PasswordExpire.pdf 2014 - United States Federal Employees’ Password Management Behaviors – A Department of Commerce Case Study https://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf 2015 - Quantifying the Security Advantage of Password Expiration Policies http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf 2015 - Why we hate IT: Two surveys on pre‐generated and expiring passwords in an academic setting https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.1184 2016 - The Problems with Forcing Regular Password Expiry https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry 2016 - Time to rethink mandatory password changes https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes 2016 - Revisiting Password Rules: Facilitating Human Management of Passwords http://people.scs.carleton.ca/~paulv/papers/eCrime2016pwdrules.pdf 2018 - User Behaviors and Attitudes Under Password Expiration Policies https://www.usenix.org/system/files/conference/soups2018/soups2018-habib-password.pdf # Some related sources showing that users will change their passwords in very predictable ways 2014 - The Tangled Web of Password Reuse http://www.jbonneau.com/doc/DBCBW14-NDSS-tangled_web.pdf 2016 - Targeted Online Password Guessing: An Underestimated Threat http://wangdingg.weebly.com/uploads/2/0/3/6/20366987/ccs16_final_v12.pdf 2016 - Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-wash.pdf 2018 - “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications https://www.mobsec.ruhr-uni-bochum.de/media/mobsec/veroeffentlichungen/2018/09/10/ccsf266-finalv1.pdf 2018 - Abusing Password Reuse at Scale: Bcrypt and Beyond https://www.youtube.com/watch?v=5su3_Py8iMQ 2018 - Shadow Attacks Based on Password Reuses: A Quantitative Empirical Analysis http://faculty.cs.tamu.edu/guofei/paper/PasswordReuse-TDSC.pdf 2019 - Beyond Credential Stuffing: Password Similarity Models using Neural Networks https://www.cs.cornell.edu/~rahul/papers/ppsm.pdf