Welcome to our Secure Development Tips blog

Every other week, we provide expert tech tips on how to build and deploy secure applications.  These best practices, derived from Security Innovation’s assessments of the worlds’ most dominant software applications,  are taken directly from our TeamMentor product, which includes more than 3,500 guidance assets and articles on secure software design, coding and testing.    

Recent Security Innovation Blog Post:

Subscribe by Email

Your email:

Secure Development Tips

a blog with tips relating to secure application development, from Security Innovation's eknowledge database, TeamMentor

Current Articles | RSS Feed RSS Feed

Force Password Renewal


What to Do

Force users to renew their passwords after a given period of time.


Forcing users to renew their passwords reduces the risk of valid credentials becoming exposed. While this technique can prevent attackers from obtaining the valid credentials through the use of a Brute Force Attack or a Dictionary Attack, it can also reduce the business risk associated with any instances of discovered or leaked valid credentials.


Your application should always force its users to change their passwords.


Use the following steps to force users to change their passwords:

  1. Define a password change policy. Establish a maximum password age for your application's users. For example, require that users must change passwords every 60 days and privileged users must change passwords every 30 days. PCI DSS requirements state that a user's password must be renewed at most every 90 days and that the new password cannot be the same as the previous four.
  2. Design a password change mechanism. Track the password age and prompt the user to change their password when the password expires. For example, the following SQL transaction will help the application to determine whether a user's password has expired:

select * from passHistory
where userid = {{username}} and
last_changed < (current_timestamp - interval '30' day);

  1. Enforce the password change policy. Embed the change of password mechanism into the authentication routine.
  2. (Optional) Check against previous hashed passwords to verify that passwords are not being repeated. One common password policy is to prevent users from using the same passwords repeatedly. To implement this, store the hashes of the previously used passwords and check the hashes of the new passwords against the stored ones.



Nice article and I don't disagree that this is a technique to use. However, there is debate between forcing password changes vs. using stronger passwords. Forcing change may discourage users from selecting a stronger password. Because of this, I looked for a PCI mandate for this 90 day change. It appears that section 8.5 only applies to non-consumer users. That does not seem clear here.
Posted @ Tuesday, April 02, 2013 8:15 PM by Jim R
Post Comment
Website (optional)

Allowed tags: <a> link, <b> bold, <i> italics