This document discusses password lifespans and alternatives to regular password expiration policies. It describes how UCL previously required passwords to change every 150 days, which resulted in complex, difficult to remember passwords and many help desk calls. The document proposes making password lifespans a learning opportunity, allowing longer passwords to have longer lifespans. It details how UCL implemented this by showing password lifespans when setting passwords. The outcome was very positive with no increase in password reset calls despite adding new user accounts.
5. CESG advice in 2015
https://www.ncsc.gov.uk/articles/problems-forcing-regular-
password-expiry
• “Regular password expiry is a common requirement... we
explicitly advised against it”
• “We want administrators to think about alternative, more effective
system defences they might implement”
6. What about the small print?
https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-
your-approach
“...stolen passwords are generally exploited immediately. Long-term
illicit use of compromised passwords is better combated by:
• monitoring logins to detect unusual use
• notifying users with details of attempted logins, successful or
unsuccessful; they should report any for which they were not
responsible”
SciHub?
7. Password risks
• Your computer is hacked and all of your
passwords stolen
• Your account for a site is hacked by
guessing your password
• The organisation you’re signing in to gets
hacked, exposing everyone’s passwords
8. UCL in 2012
• An old in-house “single sign-on” system
• Many central directories
• Many departments using them
• Complex, hard to manage, hard to secure
9. The user experience
• Password must be 8 characters long
• Must contain upper case, lower case, numbers,
some symbols....
• Must change it every 150 days
• If forgotten, must call or visit IT
11. An opportunity!
• Find a commercial package to meet our needs
• Didn’t meet our requirements for
interoperability
• Rewrite our system from the ground up:
• Improve security
• Longer passwords allowed
• Reset via text message
• What about lifespan?
12. Alternatives to lifespan
• Block repeat logins
• Susceptible to misuse
• Alert on unusual behaviour
• Define “unusual”...
• Notify user of all logins, require them to raise the alarm
• How realistic?
22. The reception so far
• Very positive!
• Some confusion over maximum length allowed
• Despite adding new user accounts from IoE
(approx 15,000), no increase in service desk calls
for password resets observed.