Page "Password" Paragraph 41

" Password aging " is a feature of some operating systems which forces users to change passwords frequently ( e. g., quarterly, monthly or even more often ).

Such policies usually provoke user protest and foot-dragging at best and hostility at worst.

There is often an increase in the people who note down the password and leave it where it can easily be found, as well as helpdesk calls to reset a forgotten password.

Users may use simpler passwords or develop variation patterns on a consistent theme to keep their passwords memorable.

Because of these issues, there is some debate as to whether password aging is effective.

The intended benefit is mainly that a stolen password will be made ineffective if it is reset ; however in many cases, particularly with administrative or " root " accounts, once an attacker has gained access, he can make alterations to the operating system that will allow him future access even after the initial password he used expires.

( see rootkit ).

The other less-frequently cited, and possibly more valid reason is that in the event of a long brute force attack, the password will be invalid by the time it has been cracked.

Specifically, in an environment where it is considered important to know the probability of a fraudulent login in order to accept the risk, one can ensure that the total number of possible passwords multiplied by the time taken to try each one ( assuming the greatest conceivable computing resources ) is much greater than the password lifetime.

However there is no documented evidence that the policy of requiring periodic changes in passwords increases system security.