Eva Gerlitz, Fraunhofer FKIE; Maximilian Häring, University of Bonn; Matthew Smith, University of Bonn and Fraunhofer FKIE; Christian Tiefenau, University of Bonn
In 2020, the German Federal Office for Information Security (BSI) updated its Password composition policy (PCP) guidelines for companies. This included the removal of password expiry, which research scholars have been discussing for at least 13 years. To analyze how the usage of password expiry in companies evolved, we conducted a study that surveyed German companies three times: eight months (n = 52 ), two years (n = 63 ), and three years (n = 80 ) after these changed recommendations. We compared our results to data gathered shortly before the change in 2019. We recruited participants via the BSI newsletter and found that 45% of the participants said their companies still use password expiry in 2023. The two main arguments were a) to increase security and b) because some stakeholders still required these regular changes. We discuss the given reasons and offer suggestions for research and guiding institutions.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Eva Gerlitz and Maximilian H{\"a}ring and Matthew Smith and Christian Tiefenau},
title = {Evolution of Password Expiry in Companies: Measuring the Adoption of Recommendations by the German Federal Office for Information Security},
booktitle = {Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023)},
year = {2023},
isbn = {978-1-939133-36-6},
address = {Anaheim, CA},
pages = {191--210},
url = {https://www.usenix.org/conference/soups2023/presentation/gerlitz-evolution},
publisher = {USENIX Association},
month = aug
}