

Ask HN: Do password reset policies really prevent security issues? - beams_of_light

Per the title, I&#x27;m curious if the security-minded folks amongst us feel that forced password resets (particularly on Windows hosts) make a real difference.  I understand it&#x27;s not a philosophy that will change, as it&#x27;s the stuff of baseline security, but am curious as to whether or not its value is perceived as high.
======
smt88
There was a widely-circulated study a few years ago that showed that those
policies result in _lower_ security.

The advantage of a forced reset is this: if your password has been stolen _but
not yet used_ , then you're locking the thief out.

The disadvantage is this: the greater password strength that is required and
the more times someone has to come up with a new password, the more often
they'll take shortcuts. Those shortcuts result in easier brute-force or
heuristic attacks.

So if you look at the advantage, it's very small and potentially non-existent.
It's rare to steal a password from a high-value target and then sit on it,
especially for as long as a few months.

Looking at the disadvantage, it's actually very high, and it makes it easier
to steal passwords in the first place.

~~~
beams_of_light
I figured that might be the case. Would it help to have password reset
policies in the time frames of years, I wonder? A stolen password might be
used inconspicuously for some time. I'd prefer two-factor became more
ubiquitous.

