technion · June 11, 2025 12:07 · Oct 11, 2021 · Sep 4, 2019 · Nov 1, 2018 · Aug 29, 2018
diff --git a/Password References.md b/Password References.md
@@ -13,6 +13,10 @@ https://www.asd.gov.au/publications/protect/Passphrase_Requirements.pdf
 
 ASD encourages the use of longer passphrases without complexity ... ASD also encourages system owners to consider whether passphrases need to expire or not
 
+## Australian Government
+You shouldn’t change your passwords often, such as every month, as this leads to poor passwords
+https://www.servicesaustralia.gov.au/individuals/subjects/how-protect-against-scams/personal-information-security
+
 ## Microsoft Guidelines
 https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
 

diff --git a/Password References.md b/Password References.md
@@ -32,6 +32,11 @@ https://www.acsc.gov.au/publications/protect/passphrase-requirements.htm
 
 ACSC recommends they be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement
 
+## Government of Canada
+https://www.canada.ca/en/government/system/digital-government/password-guidance.html#toc3
+
+Favour length over complexity. Eliminate password expiry.
+
 ## UK National Cyber Security Centre
 https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
 
@@ -42,6 +47,11 @@ https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regula
 
 As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a personal data breach.
 
+## European Union Agency for Cybersecurity
+https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/authentication-methods
+
+Use long passwords. Do not force users to mix and match different types of character sets.
+
 ## US FTC
 https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
 

diff --git a/Password References.md b/Password References.md
@@ -35,7 +35,12 @@ ACSC recommends they be at least 13 alphabetic characters. A number of randomly
 ## UK National Cyber Security Centre
 https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
 
-The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords 
+The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords
+
+## UK Information Commissioner's Office
+https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/
+
+As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a personal data breach.
 
 ## US FTC
 https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

diff --git a/Password References.md b/Password References.md
@@ -27,6 +27,11 @@ https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-
 
 Stop frequently changing passwords, for example each month, as it leads to poor passwords being created
 
+## Australian Cyber Security Center
+https://www.acsc.gov.au/publications/protect/passphrase-requirements.htm
+
+ACSC recommends they be at least 13 alphabetic characters. A number of randomly chosen dictionary words would satisfy this requirement
+
 ## UK National Cyber Security Centre
 https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
 

diff --git a/Password References.md b/Password References.md
@@ -42,6 +42,10 @@ https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-t
 
 changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization
 
+https://www.sans.org/security-resources/policies/general/pdf/password-protection-policy
+
+Passwords should be changed only when there is reason to believe a password has been compromised
+
 ## Gartner
 Best Practices for Managing Passwords: Policies Must Balance Risk, Compliance and Usability Needs
 

diff --git a/Password References.md b/Password References.md
@@ -47,7 +47,9 @@ Best Practices for Managing Passwords: Policies Must Balance Risk, Compliance an
 
 Password Aging Is Widely Advocated but Rarely Worthwhile
 
-Password Aging Can Burden an Already-Weak Authentication Method (title)
+Password Aging Can Burden an Already-Weak Authentication Method
+
+Password aging is commonly advocated as a necessary standard; however, it is difficult to identify cases in which it has improved the level of security or prevented an incident. In many cases, it can induce user behaviors that may actually create security risks.
 
 # Academic Research
 ## Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.

diff --git a/Password References.md b/Password References.md
@@ -47,6 +47,8 @@ Best Practices for Managing Passwords: Policies Must Balance Risk, Compliance an
 
 Password Aging Is Widely Advocated but Rarely Worthwhile
 
+Password Aging Can Burden an Already-Weak Authentication Method (title)
+
 # Academic Research
 ## Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.
 

diff --git a/Password References.md b/Password References.md
@@ -42,6 +42,11 @@ https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-t
 
 changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization
 
+## Gartner
+Best Practices for Managing Passwords: Policies Must Balance Risk, Compliance and Usability Needs
+
+Password Aging Is Widely Advocated but Rarely Worthwhile
+
 # Academic Research
 ## Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.
 

diff --git a/Password References.md b/Password References.md
@@ -18,6 +18,10 @@ https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Pa
 
 Password expiration policies do more harm than good
 
+https://support.office.com/en-us/article/Password-policy-recommendations-for-Office-365-9fa2539a-2211-41fd-85a0-bc37b9619ca4
+
+Password guidelines for administrators... Don't require mandatory periodic password resets for user accounts
+
 ## Australian Government
 https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords
 

diff --git a/Password References.md b/Password References.md
@@ -33,6 +33,11 @@ https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-pas
 
 While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.
 
+## SANS Institute
+https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die
+
+changing passwords every 90 days gives you the ILLUSION of stronger security while inflicting needless pain and cost to your organization
+
 # Academic Research
 ## Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.
 

diff --git a/Password References.md b/Password References.md
@@ -8,6 +8,11 @@ https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticat
 Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
 
 # Major organisations
+## Australian Signals Directorate
+https://www.asd.gov.au/publications/protect/Passphrase_Requirements.pdf
+
+ASD encourages the use of longer passphrases without complexity ... ASD also encourages system owners to consider whether passphrases need to expire or not
+
 ## Microsoft Guidelines
 https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
 

diff --git a/Password References.md b/Password References.md
@@ -7,7 +7,7 @@ https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticat
 
 Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
 
-# Major companies
+# Major organisations
 ## Microsoft Guidelines
 https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
 

diff --git a/Password References.md b/Password References.md
@@ -13,7 +13,7 @@ https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Pa
 
 Password expiration policies do more harm than good
 
-## Influential Organisations
+## Australian Government
 https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords
 
 Stop frequently changing passwords, for example each month, as it leads to poor passwords being created

diff --git a/Password References.md b/Password References.md
@@ -1,17 +1,19 @@
 # References on modern password policies
-Below links reference organisation, reference link and relevant quote
+Below links provide source, reference link and relevant quote
 
+# Standards
 ## NIST
 https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticators.md
 
 Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
 
+# Major companies
 ## Microsoft Guidelines
 https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
 
 Password expiration policies do more harm than good
 
-## Australian Government
+## Influential Organisations
 https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords
 
 Stop frequently changing passwords, for example each month, as it leads to poor passwords being created
@@ -26,4 +28,27 @@ https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-pas
 
 While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.
 
+# Academic Research
+## Sonia Chiasson and P. C. Oorschot. 2015. Quantifying the security advantage of password expiration policies. Des. Codes Cryptography 77, 2-3 (December 2015), 401-408.
+
+http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
+
+In sum ... the burden appears to shift to those who continue to support password aging policies, to explain why
+
+## Yinqian Zhang, Fabian Monrose, and Michael K Reiter. The security of modern password expiration: An algorithmic framework and empirical analysis. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), 2010
+
+Using this framework, we confirm previous conjectures that the effectiveness of expiration inmeeting its intended goal is weak
+
+# Security Experts
+## Bill Burr - original designer of password rotation policies
+
+https://www.engadget.com/2017/08/08/nist-new-password-guidelines/
+
+Much of what I did I now regret
+
+## Troy Hunt
+
+https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
+
+forcibly rotating passwords is a modern-day security anti-pattern
 
diff --git a/Password References.md b/Password References.md
@@ -0,0 +1,29 @@
+# References on modern password policies
+Below links reference organisation, reference link and relevant quote
+
+## NIST
+https://github.com/usnistgov/800-63-3/blob/nist-pages/sp800-63b/sec5_authenticators.md
+
+Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
+
+## Microsoft Guidelines
+https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf
+
+Password expiration policies do more harm than good
+
+## Australian Government
+https://www.staysmartonline.gov.au/alert-service/new-guidelines-creating-strong-passwords
+
+Stop frequently changing passwords, for example each month, as it leads to poor passwords being created
+
+## UK National Cyber Security Centre
+https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
+
+The NCSC now recommend organisations do not force regular password expiry. We believe this reduces the vulnerabilities associated with regularly expiring passwords 
+
+## US FTC
+https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
+
+While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive.
+
+