You are here >  theory >  security

Password Longevity

Age of the password is something that is very critical for the security of the passwords and this could also be seen as the time given to the attacker to be successful in cracking the password. . What do you mean by "security of the password"? A password is believed to be secured if the possibilities of it getting cracked is minimal. This could be determined by few factors:

  • Strength of the password / Strength Testing.
  • Password longevity.
  • Users per Password.
  • Design and implementation of the function or algorithm.

Age of password varies from time to time, based on the:

  • Sensitivity of the system/data.
  • Corporate policy.
  • Perimeter security.
  • Strength of the implementation.

An attacker who bruteforces to crack a password would have time only until the next change of the password. This means that the password longevity should be fixed in such a way that it gives limited opportunity for the attacker to crack a password, but at the same time should not be frequent enough for the user to forget his/her own password. This is exactly why password longevity is as important as password strength [length, character usage, etc.] and is included in the corporate password change policy for enterprise users.

Password longevity can vary between 30 days to 3 months. This varies from one organization to another. This could be based on the nature of the organization, the server that maintains the accounts, nature of perimeter security, and various other factors. One might wonder if their enterprise considered all the factors (as listed above) before writing the password policy [fixing their password longevity] and this is exactly why we wanted to have a section for password longevity and corporate password policy in general, in Password Analytics.

There are many factors that could be used to calculate the password longevity as described above. Some of them include [and is not limited to]:

  • Time taken to crack a password.
    • Time taken to perform all possible combinations of a given length.
    • Time taken to break the password of combinational characters.
  • Time taken for a user to remember their password.
  • Time taken for a user to forget their password (if consistently changed).
  • Time taken to break at the structural level.
    • Time taken to break the implementation.
    • Time taken to break the function.
    • Time taken to break the algorithm.
  • And many other possible components.

Age of password is neither a simple guess work nor a myth. There are articles that discusses entropy and advanced computations of age of passwords, which is a long term research. Corporate policy and enterprise password autentication system implementation should take into all these factors into consideration before fixing a password longevity.

EvilFingers Arsenal

Socialize with RootkitAnalytics

Twitter Feed Blogspot

Socialize with EvilFingers

Twitter Feed Blogspot LinkedIn Delicious Google