Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The real problem? People introduce password expiration to improve security, but the means of producing a new unexpired password after being locked out is less secure than the password itself creating a net loss in security.


How did this idea of expiring passwords arise in the first place? Misguided intuition or did the infosec people back then just get it wrong?


I don't know the origin story but (U.S.) National Institute of Standards and Technology (NIST) recommending password expirations from 2003 until 2016 played a part in propagating them. But I think that recommendation was largely based on was already fairly common, I think Microsoft Windows and Active Directory accounts expired by default well before 2003 (at least Windows NT and its successors).


It's existed in some form since at least the 1990s, likely through institutional or government practice.

A (possible) example from a 1997 Sybase manual: https://books.google.com/books?id=GzGuPO5fKOEC&q="password+e...

I just checked Simpson & Garfinkel's PUIS, which does mention forced changes, but not scheduled expiry. Also 1997.

(Google Book Search is badly polluted by mis-dated publications: http://www.google.com/search?q="password+expiration"&lr=lang... )

Ngram plot: https://books.google.com/ngrams/graph?content=password+expir...


The man's name is Simson Garfinkel — no "p" and no "&". (Your brain is probably confusing him with Simon & Garfunkel.)


Spafford and Garfinkel was what I'd meant to write.

Unreliable tablet input compounding even less reliable short-term working memory.

http://shop.oreilly.com/product/9781565921481.do




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: