What password expiration policies deliver aside from user frustration - DLS Talk by Paul Van Oorschot, Carleton University

Date
Location

ICCS X836

Speaker:  Dr. Paul C. Van Oorschot, Professor of Computer Science, Carleton University

Host: Bill Aiello, UBC Computer Science

Abstract:  Many enterprise security policies enforce "password aging", i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less.  We provide a detailed analysis pursuing the question "What security advantage is delivered by password expiration policies?".  We find that the emperor needs new clothes.

Bio: Paul C. Van Oorschot is a Professor of Computer Science at Carleton University in Ottawa, where he is Canada Research Chair in Authentication and Computer Security. He is a Fellow of the Royal Society of Canada (FRSC), Canada's national academy. He was Program Chair of USENIX Security 2008, Program co-Chair of NDSS 2001 and 2002, co-author of the Handbook of Applied Cryptography (2001), and is on the editorial board of IEEE TDSC, IEEE TIFS, and previously ACM TISSEC. He has served as Scientific Director of NSERC ISSNet, a pan-Canadian strategic research network exploring computer and Internet security. His current research interests include authentication and identity management, security and usability, smartphone security, software security, and generally computer and Internet security.

Homepage:  http://people.scs.carleton.ca/~paulv/