Computer: Security: Password
Dynamic password expiration   (+2)  [vote for, against]
Base password expiration interval on un-obvious strength

I work in IT. I work with computer systems and understand how weak passwords can be easily compromised with dictionary or brute-force attacks. I also work with people and understand the frustrations of having to come up with strong passwords and having to remember them. Some people would rather be allowed to have weak passwords and change them often. Other people (such as myself) would rather come up with a ridiculously strong password and keep it for a longer amount of time.

Existing systems allow administrators to set password strength and expiration requirements, but I don't believe they allow the administrators to set these two criteria to be set simultaneously with dependence on each other. Proposed is a password policy system in which the expiration of a password is automatically and dynamically adjusted for each user's password strength. The expiration duration would be unknown to the users and to the administrators until the expiration drew near (since this would be a clue about the password).

The calculation would be based on the un-obviousness of the password as a prediction about how long a password cracker would take to break it, employing dictionaries and the like. Users with strong passwords would be rewarded with longer intervals. Users with weaker passwords would be punished with shorter intervals. (Bare minimum requirements would still be in effect.)

The strength-to-time ratio need not be linear. Assuming a proper encryption scheme is used, a user with a ridiculously strong password (such as an 8kB string of ASCII nonsense) would be as safe for the first few days of owning such a password as they would for the remainder of the first year of owning such a password, but they should still change it--perhaps every decade at a bare minimum-- because of human factors. It highly depends on the organization and environment. An account with a password as obvious as "password" could be compromised in a matter of seconds, but it could still be appropriate if used for short-term internal testing on a non-critical system. I believe this human element spoils the exactness of such a science.
-- kevinthenerd, Jul 19 2013

On a further note, calculating the strength of a given password might involve its un-obviousness when the PREVIOUS password is known. For example, squirrel!~3 is fairly secure, but when it's replaced with squirrel!~4 (and assuming sufficient decryption time has passed with squirrel!~3 in the open), it's not quite as secure. (HB didn't let me post as long of a password as I wanted, but you get the idea.)
-- kevinthenerd, Jul 19 2013


[+]Good idea. I’m IT too, an application programmer, and having written several authentication and encryption systems (and, less fun, answered a lot of auditors’ questions), can get away professionally with calling myself a “security expert”. While I’ve seen lots of “password strength advisor” features in password change dialogs, haven’t seen or heard of this idea before. It’s arguably user-friendlier than the typical pass/fail or red/yellow/green password strength check, because it incentivizes the user to enter a strong password in exchange for a longer time ‘til next required change.

The main negative I can see is that not all threats to authentication systems are from dictionary/brute force attacks on weak passwords, so can’t all be countered with stronger passwords. An account with an unbeknownst stolen strong, long expiration period password and lots of privileged authorization poses a worse intrusion than one with a shorter expiration period, simply because it’s a longer intrusion (one assumes it’s detected and ended when the stolen password expires or the intruder changes it, and its legit owner can’t log in anymore)..
-- CraigD, Jul 19 2013


What the password protects might be another datum to incorporate into the algorithm. The more valuable the data protected, the more likely you might need to change it more often than, say, the password to a discussion forum --related to how much data about you the forum collects, of course. It seems to me that some forums are rather more snoopy than others.
-- Vernon, Jul 19 2013



random, halfbakery