6. Why once a year?

The expiry period is a balance between short which (all else being equal) best satisfies the necessity of those providing an assurance of security, and long which is of least inconvenience to users.

Auditors seem to recommend 30-day, 60-day, or 90-day expiry for business systems (most Oxford SSO accounts can be used to access at least one business system such as the student records system, OxCORT, or GSS). We feel that this is towards the short end of common practice and is likely to introduce negative effects such as significant amounts of staff time used up in changing/resetting passwords, weaker passwords (eg. pattern-based, short, or simple), and increased writing down of passwords.

In our view, choosing an expiry period that roughly matches business cycles (in our case annual) quantitatively offers a sensible mid-point where improved assurance of security is realised without overburdening users with password management.

Up: Contents Previous: 5. Benefits of Password Expiry