Skip to main content

Seminar:  Quantifying the Security Advantage of Password Expriation Policies

Date:May 11, 2015 
Talk Title:Quantifying the Security Advantage of Password Expriation Policies
Speaker:Paul C. van Oorschot, Professor at Carleton University
Time & Location:12:00pm - 1:00pm
DEC, CIC Building, Pittsburgh


Many enterprise security policies enforce "password aging", i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less.  We provide a detailed analysis pursuing the question "What security advantage is delivered by password expiration policies?".  We find that the benefits are far less than expected.   

Speaker Bio

Paul C. Van Oorschot is a Professor of Computer Science at Carleton University in Ottawa, where he is Canada Research Chair in Authentication and Computer Security. He is a Fellow of the Royal Society of Canada (FRSC), Canada's national academy. He is Program co-Char of NSPW 2014 and 2015, was Program Chair of USENIX Security 2008, Program co-Chair of NDSS 2001 and 2002, and co-author of the Handbook of Applied Cryptography (2001). He has served on the editorial boards of IEEE TDSC, IEEE TIFS, and ACM TISSEC, and as Scientific Director of NSERC ISSNet (2008-2013), a pan-Canadian strategic research network exploring computer and Internet security. His current research interests include authentication and identity management, security and usability, smartphone security, software security, and generally computer and Internet security.