October 27, 2015: Distinguished Speaker Seminar: Password Expiration Policies: Analyzing the Security Benefits

Prof. Paul Van Oorschot
 

Tuesday, October 27, 2015, 4:00 p.m.
Room EV002.260

Abstract

Many enterprise security policies enforce "password aging", i.e., require that users change their passwords each fixed intervals such as 90 days. The apparent justification is that this improves security. However, the implied security benefit has been little explored, and quantified less. We provide a detailed analysis pursuing the question "What security advantage is delivered by password expiration policies?"  We find that the benefits are far less than expected.

Biography

Paul C. Van Oorschot is a Professor of Computer Science at Carleton University in Ottawa, where he is Canada Research Chair in Authentication and Computer Security. He is a Fellow of the Royal Society of Canada (FRSC), Canada's national academy. He is Program co-Char of NSPW 2014 and 2015, was Program Chair of USENIX Security 2008, Program co-Chair of NDSS 2001 and 2002, and co-author of the Handbook of Applied Cryptography (2001). He has served on the editorial boards of IEEE TDSC, IEEE TIFS, and ACM TISSEC, and as Scientific Director of NSERC ISSNet (2008-2013), a pan-Canadian strategic research network exploring computer and Internet security. His current research interests include authentication and identity management, security and usability, smartphone security, software security, and generally computer and Internet security.