How Forced Password Expiration Affects Password Choice
Talk Abstract: Password expiration is an easy audit check box to tick off since we know user passwords come under constant attack in a variety of ways. Whether we choose 90 days, 6 months, or some other standard we tend to agree that passwords shouldn't last forever. However, users don't always share our commitment to security and may react to forced changes by making their new password a variation of their old one. Some professionals have questioned whether the associated stress and productivity impacts are worth continuing the practice. In this talk we'll compare the actual passwords of corporate users, some subjected to scheduled password expiration and some not. The goal is to provide quantifiable data to help you determine whether password expiration makes sense for your organization.
This page was created as a reference to my PasswordsCon 14 talk, How Forced Password Expiration Affects Password Choice. Here is a link to my presentation slides (PDF). And here's the video of my talk: