3. Why password expiry?

Password expiry is a topic that typically evokes strong responses wherever it is discussed. There have been many internal debates at IT Services, it is a common subject raised at the IT Services Help Desk by users, and web searches show that the issue crops up all over the world in many different types of organisation. Despite the general acceptance of other password security measures, password expiry is typically viewed as necessary by those responsible for ensuring security, and inconvenient by users.

There are two processes that result in password expiry at Oxford. The first process uses manual password expiry to force a password change when it is suspected that a password has been exposed to someone other than the account owner. The second is the automated process of periodic password expiry.

While password expiry cannot reduce the occurence of password compromise, it limits the potential for abuse of compromised passwords to a specific time period.

This might seem strange when set against the backdrop of a huge number of everyday web sites/services that authenticate visitors but which do not implement password expiry. We are often asked to justify our policy in the light of what appears to be common practice – some of the most frequently presented arguments appear below.

Up: Contents Previous: 2. Why is this necessary? Next: 4. Challenges against Password Expiry